Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Adobe-Setup.msi

Overview

General Information

Sample name:Adobe-Setup.msi
Analysis ID:1528310
MD5:efef047506a403740c439b2f071e3901
SHA1:a938f60b6f5b645d81e6a5f41fdf16f9610db8e6
SHA256:c25b566d99d55fe5cb1a19290748dac70845663fe0f8bf78f741fe4440055551
Tags:msiPlugXuser-smica83
Infos:

Detection

Korplug
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Korplug
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7408 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Adobe-Setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7452 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • LDeviceDetectionHelper.exe (PID: 7524 cmdline: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe MD5: 084FE5E54DBF4D7287B48C5695D02D17)
      • LDeviceDetectionHelper.exe (PID: 7608 cmdline: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe 979 576 MD5: 084FE5E54DBF4D7287B48C5695D02D17)
  • LDeviceDetectionHelper.exe (PID: 7792 cmdline: "C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904 MD5: 084FE5E54DBF4D7287B48C5695D02D17)
  • LDeviceDetectionHelper.exe (PID: 7992 cmdline: "C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904 MD5: 084FE5E54DBF4D7287B48C5695D02D17)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PlugX, KorplugRSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:machine informationcapture the screensend keyboard and mouse eventskeyloggingreboot the systemmanage processes (create, kill and enumerate)manage services (create, start, stop, etc.); andmanage Windows registry entries, open a shell, etc.The malware also logs its events in a text log file.
  • APT 22
  • APT 26
  • APT31
  • APT41
  • Aurora Panda
  • Calypso group
  • DragonOK
  • EMISSARY PANDA
  • Hellsing
  • Hurricane Panda
  • Leviathan
  • Mirage
  • Mustang Panda
  • NetTraveler
  • Nightshade Panda
  • SLIME29
  • Samurai Panda
  • Stone Panda
  • UPS
  • Violin Panda
https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1784376779.0000000002E2A000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_KorplugYara detected KorplugJoe Security
    Process Memory Space: LDeviceDetectionHelper.exe PID: 7524JoeSecurity_KorplugYara detected KorplugJoe Security

      Sigma Signatures

      Sigma detected: CurrentVersion Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe, ProcessId: 7524, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SetPoint Update

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for dropped file
      Source: C:\ProgramData\SecurityScan\hid.dllAvira: detection malicious, Label: TR/PlugX.leqhk
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dllAvira: detection malicious, Label: TR/PlugX.leqhk
      Multi AV Scanner detection for dropped file
      Source: C:\ProgramData\SecurityScan\hid.dllReversingLabs: Detection: 54%
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dllReversingLabs: Detection: 54%
      Multi AV Scanner detection for submitted file
      Source: Adobe-Setup.msiReversingLabs: Detection: 36%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
      Source: Binary string: E:\BuildAgent\work\7589b5263c32e1c1\Source\Release\LDeviceDetectionHelper.pdb source: LDeviceDetectionHelper.exe, 00000002.00000000.1710310825.00000000009A9000.00000002.00000001.01000000.00000003.sdmp, LDeviceDetectionHelper.exe, 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmp, LDeviceDetectionHelper.exe, 00000003.00000000.1782419647.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4168075838.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000005.00000000.1849627206.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000005.00000002.1895457738.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000008.00000000.1930888327.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000008.00000002.1971121159.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.dr
      Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0094E580 RegisterClassW,CreateWindowExW,GetLastError,std::exception::exception,__CxxThrowException@8,ShowWindow,RegisterDeviceNotificationW,GetLastError,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,GetMessageW,2_2_0094E580
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: unknownTCP traffic detected without corresponding DNS query: 103.238.227.183
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574543625.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059410990.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050415638.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3658521789.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2986136118.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3581608918.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3853215190.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3959353874.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970620025.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4158200503.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369795657.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3757723729.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3768895735.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148705517.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3658452703.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3670670517.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4169746874.00000000014B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4059410990.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050415638.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970620025.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148705517.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059478971.00000000014AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/0
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4059410990.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050415638.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970620025.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148705517.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059478971.00000000014AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/9
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3369795657.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369774109.00000000014AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/=
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3670670517.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3670104886.00000000014AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/K
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369795657.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369774109.00000000014AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/P
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Y
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4059410990.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050415638.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970620025.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148705517.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059478971.00000000014AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/c
      Source: LDeviceDetectionHelper.exe, 00000003.00000002.4169171667.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/e
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/g
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3369795657.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369774109.00000000014AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/l
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3189630486.0000000009E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msd
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4158200503.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4169746874.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4158280457.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387373806.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387400315.00000000014AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownl
      Source: LDeviceDetectionHelper.exe, 00000003.00000002.4169171667.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3093462675.0000000009E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/aut
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2702672678.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286733273.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2703218650.000000000998F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrooigE
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2794778012.000000000995C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574469532.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.1861998702.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189678889.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147748516.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.1862828375.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.1861616322.00000000014BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab$b
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3369668887.00000000014BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab$bL
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2889340226.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2976401281.000000000998D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab1
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4158200503.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4169171667.0000000001461000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4169680229.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0086b90dcfc22
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?16098aafced73
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606387699.0000000009989000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606464931.000000000998F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?236454ae6409e
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3447878140.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77317a1c89729
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?85a20ca57e756
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3826281111.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?899fac7b36f9a
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3562358540.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?96c6009ad16b2
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3826281111.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9e65a423b999e
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b009a331b2090
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3574469532.0000000001489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b20e8ce04136e
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4050415638.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ce1171f543746
      Source: LDeviceDetectionHelper.exe, 00000003.00000002.4169680229.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ece842189c134
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f886fafa07530
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3959420839.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?fa031dd4017c3
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3275627022.0000000009A2E000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369395828.0000000009A2E000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189426863.00000000099D0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189571270.0000000009A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?fe827779c7521
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3369634539.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286733273.000000000998F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4157927729.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059505757.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4051601161.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4051786281.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148938117.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3959268993.000000000998A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3959380791.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050639002.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4149469891.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4174911278.000000000998A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3969710295.000000000995D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabK
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3670296252.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3669187953.0000000009931000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabM
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3863869922.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863600547.0000000009931000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabW
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3470251787.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3562823680.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147694135.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3658098176.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3825709171.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147393226.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957364072.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863869922.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574272224.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3093579934.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481476700.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3470897894.0000000009990000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3175736218.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3670296252.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3756898630.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387151467.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3093413909.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3669187953.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863600547.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3376841898.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3767111135.000000000995E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabZ
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/u
      Source: LDeviceDetectionHelper.exe, 00000003.00000002.4169746874.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4158149583.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0086b90dcf
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2703090408.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?16098aafce
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2606367351.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2703090408.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?236454ae64
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3387426657.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77317a1c89
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2976574939.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2976497937.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2889742100.00000000014D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?85a20ca57e
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3756952025.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3669955034.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3756857328.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3757123606.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3757701783.00000000014D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?899fac7b36
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3481992205.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481928245.00000000014D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?96c6009ad1
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3768536052.00000000014D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9e65a423b9
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3147622401.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3093536683.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b009a331b2
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3574543625.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574617934.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574650189.00000000014D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b20e8ce041
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3369600537.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387426657.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369735742.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3377207535.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286685370.00000000014D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b92c29a6d3
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2976574939.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2986330919.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2877736466.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2976497937.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2795451779.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2889742100.00000000014D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c635d253bb
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3970442752.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ce1171f543
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.4158149583.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059354172.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ece842189c
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3084946134.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2986330919.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3082176742.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3082977370.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3093536683.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f886fafa07
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3863784215.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863940073.00000000014DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?fa031dd401
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3189552451.00000000014D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?fe827779c7
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://ocsp.sectigo.com0
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.drString found in binary or memory: http://ocsp.thawte.com0
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3957752061.0000000009990000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4174911278.000000000998A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286733273.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189506832.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3563831199.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785120188.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481006442.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3969710295.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2794778012.000000000995C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369774109.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574469532.0000000001489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2594544348.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510705212.0000000009991000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/1
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/J
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3189587862.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3175736218.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059505757.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4051601161.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4051786281.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3447878140.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148938117.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369634539.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050639002.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4149469891.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286733273.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189506832.000000000998D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/L
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3562358540.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3447878140.000000000148A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/M
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2692901453.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606387699.0000000009989000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2784703450.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2702672678.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2692277352.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2757825988.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2594544348.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606464931.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510705212.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2703218650.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785120188.000000000998C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/Q
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2692901453.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2784703450.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2702672678.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2692277352.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2879656930.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2757825988.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2795635041.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2795950854.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2878216156.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2703218650.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785120188.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2794778012.000000000995C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/Z
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/a
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059410990.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050415638.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3959353874.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970620025.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148705517.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369668887.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059478971.00000000014AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/nc.
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/nc.Y
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3369668887.00000000014BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/nc.q
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3189678889.00000000014BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/vo0?
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3369668887.00000000014BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183/vop8
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3574543625.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785101047.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606367351.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481992205.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147622401.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2976574939.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3826026103.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3658962762.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3581322995.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4169746874.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369600537.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3084946134.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2986330919.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3082176742.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387426657.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574617934.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3082977370.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3470850626.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3854655550.00000000014D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2606367351.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2594895649.00000000014DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/K
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2785101047.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2877736466.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2795451779.00000000014D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/L
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/P
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2606367351.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2594895649.00000000014DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/X
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3854655550.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3853148549.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050132424.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970442752.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863784215.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863940073.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059354172.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/c
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/h
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3574543625.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481992205.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369600537.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387426657.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574617934.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3470850626.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369735742.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3377207535.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3562456061.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3447800830.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574650189.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481928245.00000000014D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/k
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.3275593678.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286685370.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189552451.00000000014D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.238.227.183:443/m:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b009a331b20
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: https://sectigo.com/CPS0
      Source: LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
      Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50033
      Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
      Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
      Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50041 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
      Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_10012799 CreateThread,CreateThread,NtdllDefWindowProc_W,2_2_10012799
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_10011D5C memmove,memmove,Sleep,GetFileSize,ReadFile,ReadFile,Sleep,Sleep,memmove,memmove,Sleep,Sleep,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,memmove,memmove,Sleep,EnumSystemGeoID,EnumSystemGeoID,2_2_10011D5C
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3d4fbd.msiJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{F4D6B0DD-2932-436A-82C5-1296767ABB90}Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI50D6.tmpJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3d4fbf.msiJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3d4fbf.msiJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\3d4fbf.msiJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0095E7202_2_0095E720
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0097B0322_2_0097B032
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009780922_2_00978092
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009861222_2_00986122
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009721682_2_00972168
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009022A02_2_009022A0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009743902_2_00974390
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009383E02_2_009383E0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0099C50D2_2_0099C50D
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0097265C2_2_0097265C
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00972A742_2_00972A74
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0099CA7D2_2_0099CA7D
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0095ECA02_2_0095ECA0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00972EA92_2_00972EA9
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0099EEC12_2_0099EEC1
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0099CFED2_2_0099CFED
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009732DE2_2_009732DE
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0096D2C02_2_0096D2C0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0096B2262_2_0096B226
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009833612_2_00983361
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0095B4B02_2_0095B4B0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0090D6B02_2_0090D6B0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0099D7692_2_0099D769
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009878022_2_00987802
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CE42642_2_02CE4264
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CB60402_2_02CB6040
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C980042_2_02C98004
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CC41902_2_02CC4190
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD810A2_2_02CD810A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CA66FC2_2_02CA66FC
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C9A4382_2_02C9A438
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD45822_2_02CD4582
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C9AA302_2_02C9AA30
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CA2BD82_2_02CA2BD8
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CCC8C22_2_02CCC8C2
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD080A2_2_02CD080A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C908002_2_02C90800
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CA492A2_2_02CA492A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C96F822_2_02C96F82
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C94FBE2_2_02C94FBE
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CE0CB22_2_02CE0CB2
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CC4C262_2_02CC4C26
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CAADFC2_2_02CAADFC
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CA92C82_2_02CA92C8
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD92CE2_2_02CD92CE
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C9F2DA2_2_02C9F2DA
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CA51A02_2_02CA51A0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CED69A2_2_02CED69A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C956282_2_02C95628
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CC74512_2_02CC7451
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD34682_2_02CD3468
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CC75C42_2_02CC75C4
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD554A2_2_02CD554A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C9B5022_2_02C9B502
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CCDACE2_2_02CCDACE
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C9FA5C2_2_02C9FA5C
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CA5A2E2_2_02CA5A2E
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C97B5E2_2_02C97B5E
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C99B0A2_2_02C99B0A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD190A2_2_02CD190A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CD79022_2_02CD7902
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CB7E9C2_2_02CB7E9C
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C9FEB62_2_02C9FEB6
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02D15FC42_2_02D15FC4
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CC5C0A2_2_02CC5C0A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02C9BD7A2_2_02C9BD7A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02D21D212_2_02D21D21
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DD14002_2_04DD1400
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04E2E29A2_2_04E2E29A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DE2C1C2_2_04DE2C1C
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DD8C042_2_04DD8C04
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04E04D902_2_04E04D90
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DE5DA02_2_04DE5DA0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04E185022_2_04E18502
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DE552A2_2_04DE552A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DDFEDA2_2_04DDFEDA
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DE9EC82_2_04DE9EC8
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04E0E6CE2_2_04E0E6CE
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D0E7203_2_00D0E720
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D2B0323_2_00D2B032
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D280923_2_00D28092
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D221683_2_00D22168
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D361223_2_00D36122
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00CB22A03_2_00CB22A0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00CE83E03_2_00CE83E0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D243903_2_00D24390
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D4C50D3_2_00D4C50D
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D2265C3_2_00D2265C
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D22A743_2_00D22A74
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D4CA7D3_2_00D4CA7D
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D0ECA03_2_00D0ECA0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D4EEC13_2_00D4EEC1
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D22EA93_2_00D22EA9
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D4CFED3_2_00D4CFED
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D232DE3_2_00D232DE
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D1D2C03_2_00D1D2C0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D1B2263_2_00D1B226
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D333613_2_00D33361
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D0B4B03_2_00D0B4B0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00CBD6B03_2_00CBD6B0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D4D7693_2_00D4D769
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D378023_2_00D37802
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053D14003_2_053D1400
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053745823_2_05374582
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0533A4383_2_0533A438
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053466FC3_2_053466FC
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0537810A3_2_0537810A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053641903_2_05364190
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053380043_2_05338004
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053560403_2_05356040
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053842643_2_05384264
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0534ADFC3_2_0534ADFC
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05364C263_2_05364C26
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05380CB23_2_05380CB2
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05334FBE3_2_05334FBE
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05336F823_2_05336F82
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0534492A3_2_0534492A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053308003_2_05330800
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0537080A3_2_0537080A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0536C8C23_2_0536C8C2
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05342BD83_2_05342BD8
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0533AA303_2_0533AA30
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0533B5023_2_0533B502
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0537554A3_2_0537554A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053675C43_2_053675C4
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053734683_2_05373468
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053674513_2_05367451
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053356283_2_05335628
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0538D69A3_2_0538D69A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053451A03_2_053451A0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0533F2DA3_2_0533F2DA
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053792CE3_2_053792CE
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053492C83_2_053492C8
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053C1D213_2_053C1D21
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0533BD7A3_2_0533BD7A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05365C0A3_2_05365C0A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053B5FC43_2_053B5FC4
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0533FEB63_2_0533FEB6
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05357E9C3_2_05357E9C
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053779023_2_05377902
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0537190A3_2_0537190A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05339B0A3_2_05339B0A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05337B5E3_2_05337B5E
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053D5BBE3_2_053D5BBE
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_05345A2E3_2_05345A2E
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0533FA5C3_2_0533FA5C
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_0536DACE3_2_0536DACE
      Source: Joe Sandbox ViewDropped File: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe 282FC12E4F36B6E2558F5DD33320385F41E72D3A90D0D3777A31EF1BA40722D6
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe 282FC12E4F36B6E2558F5DD33320385F41E72D3A90D0D3777A31EF1BA40722D6
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: String function: 00CA1F70 appears 50 times
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: String function: 00D24330 appears 56 times
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: String function: 00CD5530 appears 787 times
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: String function: 00CA2130 appears 69 times
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: String function: 00D19369 appears 55 times
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: String function: 00D1DAC9 appears 87 times
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: String function: 008F2130 appears 69 times
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: String function: 00925530 appears 807 times
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: String function: 00969369 appears 55 times
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: String function: 00974330 appears 56 times
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: String function: 008F1F70 appears 50 times
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: String function: 0096DAC9 appears 89 times
      Source: classification engineClassification label: mal92.troj.evad.winMSI@8/27@0/2
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML5115.tmpJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeMutant created: \Sessions\1\BaseNamedObjects\DdVeGEFDt
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFA0D73703F2E63F02.TMPJump to behavior
      Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: Adobe-Setup.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
      Source: Adobe-Setup.msiReversingLabs: Detection: 36%
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Adobe-Setup.msi"
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeProcess created: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe 979 576
      Source: unknownProcess created: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe "C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904
      Source: unknownProcess created: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe "C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeProcess created: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe 979 576Jump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: hid.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: hid.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: version.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: webio.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: schannel.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: profapi.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: hid.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: version.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: hid.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: version.dllJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeSection loaded: winhttp.dllJump to behavior
      Source: Adobe-Setup.msiStatic file information: File size 1114112 > 1048576
      Source: Binary string: E:\BuildAgent\work\7589b5263c32e1c1\Source\Release\LDeviceDetectionHelper.pdb source: LDeviceDetectionHelper.exe, 00000002.00000000.1710310825.00000000009A9000.00000002.00000001.01000000.00000003.sdmp, LDeviceDetectionHelper.exe, 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmp, LDeviceDetectionHelper.exe, 00000003.00000000.1782419647.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4168075838.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000005.00000000.1849627206.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000005.00000002.1895457738.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000008.00000000.1930888327.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe, 00000008.00000002.1971121159.0000000000D59000.00000002.00000001.01000000.00000006.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.dr
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0098E6AF LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0098E6AF
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00974375 push ecx; ret 2_2_00974388
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00976AEA push edi; ret 2_2_00976AEC
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00976C03 push esi; ret 2_2_00976C05
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00976DDE push esi; ret 2_2_00976DE0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00976EC7 push edi; ret 2_2_00976EC9
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00977757 push esi; ret 2_2_00977767
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0097798B push edi; ret 2_2_0097798D
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0096DAA6 push ecx; ret 2_2_0096DAB9
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00977A29 push edi; ret 2_2_00977A2B
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02CB41A2 push eax; ret 2_2_02CB41A3
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DF4DA2 push eax; ret 2_2_04DF4DA3
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D24375 push ecx; ret 3_2_00D24388
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D26AEA push edi; ret 3_2_00D26AEC
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D26C03 push esi; ret 3_2_00D26C05
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D26DDE push esi; ret 3_2_00D26DE0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D26EC7 push edi; ret 3_2_00D26EC9
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D27757 push esi; ret 3_2_00D27767
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D2798B push edi; ret 3_2_00D2798D
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D1DAA6 push ecx; ret 3_2_00D1DAB9
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D27A29 push edi; ret 3_2_00D27A2B
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053541A2 push eax; ret 3_2_053541A3
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeFile created: C:\ProgramData\SecurityScan\hid.dllJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeFile created: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeFile created: C:\ProgramData\SecurityScan\hid.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeFile created: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SetPoint UpdateJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SetPoint UpdateJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Overwrites code with unconditional jumps - possibly settings hooks in foreign process
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeMemory written: PID: 7524 base: 74DF1720 value: E9 14 FA FD 8F Jump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeMemory written: PID: 7608 base: 74DF1720 value: E9 14 FA 5D 90 Jump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeMemory written: PID: 7792 base: 74DF1720 value: E9 14 FA 78 90 Jump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeMemory written: PID: 7992 base: 74DF1720 value: E9 14 FA 7C 90 Jump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0095ECA0 LoadLibraryW,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,LoadLibraryW,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,GetProcAddress,GetLastError,std::exception::exception,__CxxThrowException@8,2_2_0095ECA0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
      Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 BlobJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after checking mutex)
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeWindow / User API: threadDelayed 9653Jump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-107805
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeAPI coverage: 7.8 %
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe TID: 7664Thread sleep count: 241 > 30Jump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe TID: 7664Thread sleep time: -241000s >= -30000sJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe TID: 7664Thread sleep count: 9653 > 30Jump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe TID: 7664Thread sleep time: -9653000s >= -30000sJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe TID: 7816Thread sleep count: 98 > 30Jump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe TID: 8008Thread sleep count: 78 > 30Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: LDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148705517.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059410990.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4158200503.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3562358540.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3826281111.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3447878140.000000000148A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: LDeviceDetectionHelper.exe, 00000003.00000002.4169171667.0000000001438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpoH
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeAPI call chain: ExitProcess graph end nodegraph_2-107978
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeAPI call chain: ExitProcess graph end nodegraph_2-108790
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeAPI call chain: ExitProcess graph end node
      Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04DD6BF1 CheckRemoteDebuggerPresent,2_2_04DD6BF1
      Found API chain indicative of debugger detection
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeDebugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleepgraph_2-108801
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeProcess queried: DebugPortJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeProcess queried: DebugPortJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeProcess queried: DebugPortJump to behavior
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0096CC67 IsDebuggerPresent,2_2_0096CC67
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0098B164 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_0098B164
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0098E6AF LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0098E6AF
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02D1A122 mov eax, dword ptr fs:[00000030h]2_2_02D1A122
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02D1BE75 mov eax, dword ptr fs:[00000030h]2_2_02D1BE75
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_04E5AD22 mov eax, dword ptr fs:[00000030h]2_2_04E5AD22
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053BA122 mov eax, dword ptr fs:[00000030h]3_2_053BA122
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_053BBE75 mov eax, dword ptr fs:[00000030h]3_2_053BBE75
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0099C262 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,2_2_0099C262
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00972045 SetUnhandledExceptionFilter,2_2_00972045
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00972068 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00972068
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D22045 SetUnhandledExceptionFilter,3_2_00D22045
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D22068 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00D22068
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeProcess created: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe 979 576Jump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_02D178C9 cpuid 2_2_02D178C9
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_0098C00C
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,2_2_00994583
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: EnumSystemLocalesW,2_2_009947F3
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_009948B0
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_00994833
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,2_2_00974876
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00994933
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,2_2_00994B26
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,_GetPrimaryLen,2_2_00994CFB
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00994C4E
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,2_2_00994D63
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_0098B4C2
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_0098B5FF
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: EnumSystemLocalesW,2_2_00973A1D
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_0098BA08
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,2_2_00973A5A
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,2_2_0096FCB8
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_00D3C00C
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,3_2_00D44583
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: EnumSystemLocalesW,3_2_00D447F3
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_00D448B0
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,3_2_00D24876
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_00D44833
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00D44933
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,3_2_00D44B26
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_00D44CFB
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00D44C4E
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,3_2_00D44D63
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_00D3B4C2
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,3_2_00D3B5FF
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: GetLocaleInfoW,3_2_00D23A5A
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: EnumSystemLocalesW,3_2_00D23A1D
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,3_2_00D3BA08
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,3_2_00D1FCB8
      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_0097556F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_0097556F
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_009816BE GetVersionExW,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,2_2_009816BE
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 BlobJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected Korplug
      Source: Yara matchFile source: 00000002.00000002.1784376779.0000000002E2A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: LDeviceDetectionHelper.exe PID: 7524, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Korplug
      Source: Yara matchFile source: 00000002.00000002.1784376779.0000000002E2A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: LDeviceDetectionHelper.exe PID: 7524, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00991375 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,2_2_00991375
      Source: C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeCode function: 2_2_00991EDD Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,2_2_00991EDD
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D41375 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,3_2_00D41375
      Source: C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeCode function: 3_2_00D41EDD Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,3_2_00D41EDD

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure1
      Replication Through Removable Media      		12
      Native API      		1
      Registry Run Keys / Startup Folder      		11
      Process Injection      		11
      Masquerading      		1
      Credential API Hooking      		1
      System Time Discovery      		Remote Services1
      Credential API Hooking      		12
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		1
      Registry Run Keys / Startup Folder      		1
      Modify Registry      		LSASS Memory1
      Query Registry      		Remote Desktop Protocol1
      Archive Collected Data      		1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		12
      Virtualization/Sandbox Evasion      		Security Account Manager341
      Security Software Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Disable or Modify Tools      		NTDS12
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
      Process Injection      		LSA Secrets1
      Process Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Deobfuscate/Decode Files or Information      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
      Obfuscated Files or Information      		DCSync21
      Peripheral Device Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc Filesystem35
      System Information Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      File Deletion      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528310 Sample: Adobe-Setup.msi Startdate: 07/10/2024 Architecture: WINDOWS Score: 92 37 Antivirus detection for dropped file 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 2 other signatures 2->43 7 msiexec.exe 83 37 2->7         started        10 LDeviceDetectionHelper.exe 2->10         started        13 LDeviceDetectionHelper.exe 2->13         started        15 msiexec.exe 3 2->15         started        process3 file4 29 C:\Users\user\AppData\Local\...\hid.dll, PE32 7->29 dropped 31 C:\Users\user\...\LDeviceDetectionHelper.exe, PE32 7->31 dropped 17 LDeviceDetectionHelper.exe 1 5 7->17         started        55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->55 signatures5 process6 file7 25 C:\ProgramData\SecurityScan\hid.dll, PE32 17->25 dropped 27 C:\ProgramData\...\LDeviceDetectionHelper.exe, PE32 17->27 dropped 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->45 47 Found API chain indicative of debugger detection 17->47 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 17->49 21 LDeviceDetectionHelper.exe 1 17->21         started        signatures8 process9 dnsIp10 33 103.238.227.183, 443, 49734, 49875 CLOUDIE-AS-APCloudieLimitedHK Hong Kong 21->33 35 192.168.2.16 unknown unknown 21->35 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->51 53 Found evasive API chain (may stop execution after checking mutex) 21->53 signatures11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Adobe-Setup.msi37%ReversingLabsWin32.Trojan.Plug

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\ProgramData\SecurityScan\hid.dll100%AviraTR/PlugX.leqhk
      C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dll100%AviraTR/PlugX.leqhk
      C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe0%ReversingLabs
      C:\ProgramData\SecurityScan\hid.dll54%ReversingLabsWin32.Trojan.Plug
      C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe0%ReversingLabs
      C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dll54%ReversingLabsWin32.Trojan.Plug

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://sectigo.com/CPS00%URL Reputationsafe
      http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
      http://ocsp.sectigo.com00%URL Reputationsafe
      http://ocsp.thawte.com00%URL Reputationsafe
      http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
      http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
      http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%URL Reputationsafe
      http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://103.238.227.183/nc.qLDeviceDetectionHelper.exe, 00000003.00000003.3369668887.00000000014BE000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://sectigo.com/CPS0LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drfalse
          • URL Reputation: safe
          		unknown
          http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drfalse
          • URL Reputation: safe
          		unknown
          http://ocsp.sectigo.com0LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drfalse
          • URL Reputation: safe
          		unknown
          https://103.238.227.183/QLDeviceDetectionHelper.exe, 00000003.00000003.2692901453.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606387699.0000000009989000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2784703450.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2702672678.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2692277352.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2757825988.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2594544348.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606464931.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510705212.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2703218650.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785120188.000000000998C000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            http://ocsp.thawte.com0LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.drfalse
            • URL Reputation: safe
            		unknown
            https://103.238.227.183/JLDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://103.238.227.183/MLDeviceDetectionHelper.exe, 00000003.00000003.2757694461.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.0000000001489000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3562358540.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147646947.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3447878140.000000000148A000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://103.238.227.183/vop8LDeviceDetectionHelper.exe, 00000003.00000003.3369668887.00000000014BE000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://103.238.227.183/LLDeviceDetectionHelper.exe, 00000003.00000003.3189587862.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3175736218.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059505757.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4051601161.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4051786281.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3447878140.000000000148A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148938117.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369634539.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050639002.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4149469891.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286733273.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189506832.000000000998D000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://103.238.227.183/nc.LDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059410990.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050415638.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3959353874.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970620025.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4148705517.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369668887.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059478971.00000000014AF000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://103.238.227.183:443/LDeviceDetectionHelper.exe, 00000003.00000003.3574543625.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785101047.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2606367351.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481992205.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3147622401.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2976574939.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3826026103.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3658962762.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3581322995.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4169746874.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369600537.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3084946134.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2986330919.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3082176742.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387426657.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574617934.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3082977370.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3470850626.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3854655550.00000000014D5000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://103.238.227.183:443/hLDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://103.238.227.183:443/cLDeviceDetectionHelper.exe, 00000003.00000003.3854655550.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3853148549.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4050132424.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3970442752.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863784215.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3863940073.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.4059354172.00000000014D7000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://103.238.227.183:443/kLDeviceDetectionHelper.exe, 00000003.00000003.3574543625.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481992205.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369600537.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481669146.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3387426657.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574617934.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3470850626.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369735742.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3377207535.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3562456061.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3447800830.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574650189.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481928245.00000000014D1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://103.238.227.183/LDeviceDetectionHelper.exe, 00000003.00000003.3957752061.0000000009990000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000002.4174911278.000000000998A000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286733273.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189506832.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3563831199.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785120188.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3481006442.0000000009931000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3969710295.000000000995D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2794778012.000000000995C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3369774109.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3574469532.0000000001489000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://103.238.227.183:443/XLDeviceDetectionHelper.exe, 00000003.00000003.2606367351.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2594895649.00000000014DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crl.thawte.com/ThawteTimestampingCA.crl0LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe.1.dr, LDeviceDetectionHelper.exe.2.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://103.238.227.183/1LDeviceDetectionHelper.exe, 00000003.00000003.2594544348.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510705212.0000000009991000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zLDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://103.238.227.183/nc.YLDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://103.238.227.183/vo0?LDeviceDetectionHelper.exe, 00000003.00000003.3189678889.00000000014BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://103.238.227.183/aLDeviceDetectionHelper.exe, 00000003.00000003.3957722486.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3957559957.00000000014AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://103.238.227.183:443/PLDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://103.238.227.183/ZLDeviceDetectionHelper.exe, 00000003.00000003.2692901453.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2784703450.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2702672678.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2692277352.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2879656930.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2757825988.0000000009991000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2795635041.000000000998B000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2795950854.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2878216156.000000000998D000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2703218650.000000000998F000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2785120188.000000000998C000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2794778012.000000000995C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://103.238.227.183:443/KLDeviceDetectionHelper.exe, 00000003.00000003.2606367351.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2510851709.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2594895649.00000000014DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://103.238.227.183:443/m:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b009a331b20LDeviceDetectionHelper.exe, 00000003.00000003.3275593678.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3286685370.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.3189552451.00000000014D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#LDeviceDetectionHelper.exe, 00000002.00000003.1751800677.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, Adobe-Setup.msi, 3d4fbf.msi.1.dr, hid.dll.2.dr, 3d4fbd.msi.1.dr, hid.dll.1.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://103.238.227.183:443/LLDeviceDetectionHelper.exe, 00000003.00000003.2785101047.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2877736466.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, LDeviceDetectionHelper.exe, 00000003.00000003.2795451779.00000000014D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    103.238.227.183
                                                    		unknownHong Kong
                                                    		55933CLOUDIE-AS-APCloudieLimitedHKfalse

                                                    Private

                                                    IP
                                                    192.168.2.16

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1528310
                                                    Start date and time:2024-10-07 19:09:07 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 11s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:10
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Adobe-Setup.msi
                                                    Detection:MAL
                                                    Classification:mal92.troj.evad.winMSI@8/27@0/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 90%
                                                    • Number of executed functions: 39
                                                    • Number of non-executed functions: 48
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .msi
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 93.184.221.240, 199.232.210.172
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: Adobe-Setup.msi

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    13:10:12API Interceptor9224520x Sleep call for process: LDeviceDetectionHelper.exe modified
                                                    18:10:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SetPoint Update "C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904
                                                    18:10:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SetPoint Update "C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    103.238.227.183ocHM0z1PTT.msiGet hashmaliciousUnknownBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      bg.microsoft.map.fastly.nethttps://dsdhie.org/dsjhemGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      TuQlz67byH.exeGet hashmaliciousLummaCBrowse
                                                      • 199.232.210.172
                                                      45Ywq5ad5H.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 199.232.214.172
                                                      f1r6P3j3g7.exeGet hashmaliciousLummaC, VidarBrowse
                                                      • 199.232.214.172
                                                      lCVFGKfczi.exeGet hashmaliciousVidarBrowse
                                                      • 199.232.214.172
                                                      1f13Cs1ogc.exeGet hashmaliciousStealcBrowse
                                                      • 199.232.214.172
                                                      NdSXVNeoET.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 199.232.210.172
                                                      vEcIHT68pU.exeGet hashmaliciousLummaCBrowse
                                                      • 199.232.214.172
                                                      file.exeGet hashmaliciousVidarBrowse
                                                      • 199.232.214.172
                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 199.232.214.172

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDIE-AS-APCloudieLimitedHKna.elfGet hashmaliciousGafgytBrowse
                                                      • 43.240.13.119
                                                      na.elfGet hashmaliciousUnknownBrowse
                                                      • 103.212.49.88
                                                      novo.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 191.96.215.15
                                                      H1pXo79CPdGet hashmaliciousGhostRatBrowse
                                                      • 103.118.253.78
                                                      SOA.exeGet hashmaliciousFormBookBrowse
                                                      • 103.59.102.59
                                                      http://telegsramc.club/Get hashmaliciousTelegram PhisherBrowse
                                                      • 103.76.84.225
                                                      https://www.shopapptime.xyz/Get hashmaliciousUnknownBrowse
                                                      • 45.153.129.178
                                                      https://tosigos.com/Get hashmaliciousUnknownBrowse
                                                      • 202.181.24.16
                                                      https://aomzsmaszs.com/index/ap/registerGet hashmaliciousUnknownBrowse
                                                      • 93.177.76.90
                                                      http://timihref.com/Get hashmaliciousUnknownBrowse
                                                      • 202.181.26.245

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exeocHM0z1PTT.msiGet hashmaliciousUnknownBrowse
                                                        C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exeocHM0z1PTT.msiGet hashmaliciousUnknownBrowse

                                                          Created / dropped Files

                                                          C:\Config.Msi\3d4fbe.rbs

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8799
                                                          Entropy (8bit):5.603961504073739
                                                          Encrypted:false
                                                          SSDEEP:192:8yFzdbbeWbqCY/IPqCY/AhlC1I8xS3jasm0opjhB:8yFzdbHqCdqCLhlmI8xSzChB
                                                          MD5:F9DFE63005C8AF20B5B638C02B61BA6E
                                                          SHA1:5D2F6528A362799F565574EC2C1CA00168CB1F85
                                                          SHA-256:DFB1421CA31977A3EC9B7380A0BB766ACEEC0C8AA17703FD1BA735EB4F6EF19C
                                                          SHA-512:CF7A08E8D00AD8900B2805256D8E978FF6D6538353E8B6C7266EB725F71CBA2AB1C5E50481332DB0265782D113AFF7881A2CD5C7DB5439D58258B4E815EB91D9
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:...@IXOS.@.....@AiGY.@.....@.....@.....@.....@.....@......&.{F4D6B0DD-2932-436A-82C5-1296767ABB90}..Windows Installer..Adobe-Setup.msi.@.....@....@.....@........&.{A509E431-2CD2-476D-A0C7-B01FC235F124}.....@.....@.....@.....@.......@.....@.....@.......@......Windows Installer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{AA0FBF6B-45F7-443D-8835-BDF4F3E57D47}&.{F4D6B0DD-2932-436A-82C5-1296767ABB90}.@......&.{BA0FBF6B-45F7-443F-8835-BDF4F3E57D48}&.{F4D6B0DD-2932-436A-82C5-1296767ABB90}.@......&.{CA0FBF6B-45F7-443F-8835-BDF4F3E57D48}&.{F4D6B0DD-2932-436A-82C5-1296767ABB90}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..*.C:\Users\user\AppData\Local\gVCgHiMSMMBE\....D.C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe....1.C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dll....5.C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDevice.dat....

                                                          C:\ProgramData\.Logitech\LDevice.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):636416
                                                          Entropy (8bit):7.999714858613865
                                                          Encrypted:true
                                                          SSDEEP:12288:POVwM2IsGOK9DsAB5nNXDZJKkrLL7w3WTXgttJhXpA6ZP10Ox1QyjgjJOuZ9KbVS:PXdcOK9gABvOk3n6WTXgtZXpjPeOXQ+6
                                                          MD5:D31AC55A11C74E8A70E1AE4E9A2A40CB
                                                          SHA1:4E884EEDF93ABA3019D20BC0EBC8257AA94D953C
                                                          SHA-256:4AAB12011D917E87D743A467A322F00706EA6D042C9C211709934825876B3B01
                                                          SHA-512:E048681629072E8C680B2184B7D9DA325E5E9520295E91D393C175A6FB35F7F87C518CD3B05C05508B646704D97338933AA42B0AD5037E9D736CB3768E1099AB
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..[.q......=!V....+.f.._...K.=.........`..QK.j..*.V..>(%..c.>...Ff...`.....M<..T,.g.<..7./x.."&..s.d..XK,`-g.. ..d.....W.......Z......PZm........<..;...+.b.......<n...T...#..../...X...:E.. \.L...<...."..W..48Z...a.+z.s...3^*3..&...@.X.[.#....-.nw.uDn..#........UY..ss!n[C[/.?....BY.k=..!Q,.P...\..*@.4.. .G.....M#...*..y.u./......B...g.&.........a.4f..O!6.....J.O.:K3.p.s%..]...n[.mYd.CA._...1.........I.R.g.#...E6...g...*IWt?..{..*...,...I....w.{L(8d...Y>.B....r...~..=-..........}.b..$.$.Hu...."..{....f.C..u..{.%[...B......>(.$....C.DB.....i.(....X*...Wb.g.l.`..0....0/6j...W...r.U..{.6.j=)..PcG...~..I.LY.]z..Uk{.n..[....vv...>u/b..;..KX>......{{N....b....tw...g...H".l.?...|..&.B..-...t..&:..._=...8R.....`|.Pl.^.....mNf....g...w. n..xB.O........WEiS.>..'.4}...d.......v.]...z.})Z..J.7..49.80b>.xh{.A...ot.U.'Su/C`.#....M.M.#..zb.W....x..&+..z..2f..!..=.#..g.Lw5PH...}=UO..S....x$....J..t....<.....b.Z.5U....G..(.Yu..M..+.D.&......b.<.W

                                                          C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1775384
                                                          Entropy (8bit):6.012909963326432
                                                          Encrypted:false
                                                          SSDEEP:49152:28ZN0yNSiX5bYHlMVxGPw7nWokw7nWovDyK:/alMVxGPEnWokEnWot
                                                          MD5:084FE5E54DBF4D7287B48C5695D02D17
                                                          SHA1:58A2693E67491569E9C8F17730159C64FFB5E6DD
                                                          SHA-256:282FC12E4F36B6E2558F5DD33320385F41E72D3A90D0D3777A31EF1BA40722D6
                                                          SHA-512:15FDAD9FCEBB45CCE0C45FE82B387CD2F2602884F9B7F85D9805E26E7EDD442B8EE814F5CDCE12D207A74C3B38D524EC61738D45F72D2523D4FAD31DABB1E154
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: ocHM0z1PTT.msi, Detection: malicious, Browse
                                                          Reputation:low
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wz..............<.......6.0.....4.......5......lG..............lB......(......2.......l......7.....Rich............PE..L.....uS.................t..........E.............@.......................................@.................................h...P...............................,.......8....................-.......-..@...............d............................text...dr.......t.................. ..`.rdata..B............x..............@..@.data................~..............@....tls.................>..............@....rsrc................@..............@..@.reloc..4............>..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\SecurityScan\hid.dll

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):111008
                                                          Entropy (8bit):6.160611861920034
                                                          Encrypted:false
                                                          SSDEEP:1536:kGhoTS3fhrpHYHI9vpyawCqfRhTaoKvFfJBFmhuj/BhujN7T:kZ2/ytzjmvvxJBFmkI7T
                                                          MD5:63F013E0F1F8587F6EA1C973B3D67FC7
                                                          SHA1:E03659EE830E2B55FDE1F5D040A0480DEE26EEB0
                                                          SHA-256:1E7E233814EC574DABB4ADD07FC162CAE6F35C9ABF83253E3C4AABA3712766D8
                                                          SHA-512:248BCEC54CFE024938550B15B6DD53E1336FF5AAD163939FAF2E2ACB294D715B40BB2B19F4E1933249870E5C2B42E65EE0C71694CB478FD6C15C0C18116AF05B
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 54%
                                                          Reputation:low
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....<..........DI.......P......................................Z................................]..\....\..<.......$............^...S..........................................................L\..X............................text....:.......<.................. ..`.data...D....P.......@..............@....rsrc...$............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                          Download File
                                                          Process:C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe
                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                          Category:dropped
                                                          Size (bytes):71954
                                                          Entropy (8bit):7.996617769952133
                                                          Encrypted:true
                                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                          Malicious:false
                                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                          Download File
                                                          Process:C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):328
                                                          Entropy (8bit):3.247897867253902
                                                          Encrypted:false
                                                          SSDEEP:6:kKRH/99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:9/kDImsLNkPlE99SNxAhUe/3
                                                          MD5:40C8316098E999EDDDD93663FB88849F
                                                          SHA1:FE3E982C43DEA9DFF4814827F8AC044087CE9A3F
                                                          SHA-256:9DE6E2DB88CCD1EDE2CB03C57AED5C77AB2FB2D449E5D0172264BA55D39B85EB
                                                          SHA-512:6401517AB366ED1972014DF9A0B910318DC749849A50B63BF24E317370549DD0BCCD6EA45AFE6FAE5DC29E522B073DD6B12F32FAF6EC45C1B5DBDDEF7AE8DEFD
                                                          Malicious:false
                                                          Preview:p...... .........xQ...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                          C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDevice.dat

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):636416
                                                          Entropy (8bit):7.999714858613865
                                                          Encrypted:true
                                                          SSDEEP:12288:POVwM2IsGOK9DsAB5nNXDZJKkrLL7w3WTXgttJhXpA6ZP10Ox1QyjgjJOuZ9KbVS:PXdcOK9gABvOk3n6WTXgtZXpjPeOXQ+6
                                                          MD5:D31AC55A11C74E8A70E1AE4E9A2A40CB
                                                          SHA1:4E884EEDF93ABA3019D20BC0EBC8257AA94D953C
                                                          SHA-256:4AAB12011D917E87D743A467A322F00706EA6D042C9C211709934825876B3B01
                                                          SHA-512:E048681629072E8C680B2184B7D9DA325E5E9520295E91D393C175A6FB35F7F87C518CD3B05C05508B646704D97338933AA42B0AD5037E9D736CB3768E1099AB
                                                          Malicious:false
                                                          Preview:..[.q......=!V....+.f.._...K.=.........`..QK.j..*.V..>(%..c.>...Ff...`.....M<..T,.g.<..7./x.."&..s.d..XK,`-g.. ..d.....W.......Z......PZm........<..;...+.b.......<n...T...#..../...X...:E.. \.L...<...."..W..48Z...a.+z.s...3^*3..&...@.X.[.#....-.nw.uDn..#........UY..ss!n[C[/.?....BY.k=..!Q,.P...\..*@.4.. .G.....M#...*..y.u./......B...g.&.........a.4f..O!6.....J.O.:K3.p.s%..]...n[.mYd.CA._...1.........I.R.g.#...E6...g...*IWt?..{..*...,...I....w.{L(8d...Y>.B....r...~..=-..........}.b..$.$.Hu...."..{....f.C..u..{.%[...B......>(.$....C.DB.....i.(....X*...Wb.g.l.`..0....0/6j...W...r.U..{.6.j=)..PcG...~..I.LY.]z..Uk{.n..[....vv...>u/b..;..KX>......{{N....b....tw...g...H".l.?...|..&.B..-...t..&:..._=...8R.....`|.Pl.^.....mNf....g...w. n..xB.O........WEiS.>..'.4}...d.......v.]...z.})Z..J.7..49.80b>.xh{.A...ot.U.'Su/C`.#....M.M.#..zb.W....x..&+..z..2f..!..=.#..g.Lw5PH...}=UO..S....x$....J..t....<.....b.Z.5U....G..(.Yu..M..+.D.&......b.<.W

                                                          C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1775384
                                                          Entropy (8bit):6.012909963326432
                                                          Encrypted:false
                                                          SSDEEP:49152:28ZN0yNSiX5bYHlMVxGPw7nWokw7nWovDyK:/alMVxGPEnWokEnWot
                                                          MD5:084FE5E54DBF4D7287B48C5695D02D17
                                                          SHA1:58A2693E67491569E9C8F17730159C64FFB5E6DD
                                                          SHA-256:282FC12E4F36B6E2558F5DD33320385F41E72D3A90D0D3777A31EF1BA40722D6
                                                          SHA-512:15FDAD9FCEBB45CCE0C45FE82B387CD2F2602884F9B7F85D9805E26E7EDD442B8EE814F5CDCE12D207A74C3B38D524EC61738D45F72D2523D4FAD31DABB1E154
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: ocHM0z1PTT.msi, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wz..............<.......6.0.....4.......5......lG..............lB......(......2.......l......7.....Rich............PE..L.....uS.................t..........E.............@.......................................@.................................h...P...............................,.......8....................-.......-..@...............d............................text...dr.......t.................. ..`.rdata..B............x..............@..@.data................~..............@....tls.................>..............@....rsrc................@..............@..@.reloc..4............>..............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):111008
                                                          Entropy (8bit):6.160611861920034
                                                          Encrypted:false
                                                          SSDEEP:1536:kGhoTS3fhrpHYHI9vpyawCqfRhTaoKvFfJBFmhuj/BhujN7T:kZ2/ytzjmvvxJBFmkI7T
                                                          MD5:63F013E0F1F8587F6EA1C973B3D67FC7
                                                          SHA1:E03659EE830E2B55FDE1F5D040A0480DEE26EEB0
                                                          SHA-256:1E7E233814EC574DABB4ADD07FC162CAE6F35C9ABF83253E3C4AABA3712766D8
                                                          SHA-512:248BCEC54CFE024938550B15B6DD53E1336FF5AAD163939FAF2E2ACB294D715B40BB2B19F4E1933249870E5C2B42E65EE0C71694CB478FD6C15C0C18116AF05B
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 54%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....<..........DI.......P......................................Z................................]..\....\..<.......$............^...S..........................................................L\..X............................text....:.......<.................. ..`.data...D....P.......@..............@....rsrc...$............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\3d4fbd.msi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Windows Installer, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Windows Installer., Template: Intel;1033, Revision Number: {A509E431-2CD2-476D-A0C7-B01FC235F124}, Create Time/Date: Fri Aug 16 11:25:12 2024, Last Saved Time/Date: Fri Aug 16 11:25:12 2024, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                          Category:dropped
                                                          Size (bytes):1114112
                                                          Entropy (8bit):7.9692116475212735
                                                          Encrypted:false
                                                          SSDEEP:24576:JXZFaDUZ09brk4FtSVUJY+FidKagAB8Xk9X6uTXgL3XojPwOXQ+ZjdeHVdiYe6Pr:JXKDUC9brNYVUS+FiUag08056t4DO+p5
                                                          MD5:EFEF047506A403740C439B2F071E3901
                                                          SHA1:A938F60B6F5B645D81E6A5F41FDF16F9610DB8E6
                                                          SHA-256:C25B566D99D55FE5CB1A19290748DAC70845663FE0F8BF78F741FE4440055551
                                                          SHA-512:98BD68D4C1B4AB333FE07946C56095449AD33E8E65F8A6E12EA710A09BA908AF6023EDFE8E7ADE550B61EF7FCBFCBDC328F1F94BDAEE143231FBDAE89FDEA0D9
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\3d4fbf.msi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Windows Installer, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Windows Installer., Template: Intel;1033, Revision Number: {A509E431-2CD2-476D-A0C7-B01FC235F124}, Create Time/Date: Fri Aug 16 11:25:12 2024, Last Saved Time/Date: Fri Aug 16 11:25:12 2024, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                          Category:dropped
                                                          Size (bytes):1114112
                                                          Entropy (8bit):7.9692116475212735
                                                          Encrypted:false
                                                          SSDEEP:24576:JXZFaDUZ09brk4FtSVUJY+FidKagAB8Xk9X6uTXgL3XojPwOXQ+ZjdeHVdiYe6Pr:JXKDUC9brNYVUS+FiUag08056t4DO+p5
                                                          MD5:EFEF047506A403740C439B2F071E3901
                                                          SHA1:A938F60B6F5B645D81E6A5F41FDF16F9610DB8E6
                                                          SHA-256:C25B566D99D55FE5CB1A19290748DAC70845663FE0F8BF78F741FE4440055551
                                                          SHA-512:98BD68D4C1B4AB333FE07946C56095449AD33E8E65F8A6E12EA710A09BA908AF6023EDFE8E7ADE550B61EF7FCBFCBDC328F1F94BDAEE143231FBDAE89FDEA0D9
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI50D6.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2285
                                                          Entropy (8bit):5.665274030794339
                                                          Encrypted:false
                                                          SSDEEP:48:NTgfa6Za6btb+Dv6S0MGP3zystTUNDcQeUsm7neigUbuD+Cn8xntEVltni+gE:NTWrZtZyDd0fJsoQeWeitSD+Cn8xtEPV
                                                          MD5:42AFB917841F5FD6CAB703B023D9BF43
                                                          SHA1:E15D33DC6CD4101A908276C1B97B54A57FFBB6C3
                                                          SHA-256:64E139C4D0DAEBDA79A6887945695CE6640A1C015374621D05749EB1B5469741
                                                          SHA-512:6CEB40E25B65C322E06106E21D92B8DC41B7984D52F70C0CA881AB650051EF6FFE979E6541A95E9179360F7D4DE15783141426A76ED933D1138B91CC54697269
                                                          Malicious:false
                                                          Preview:...@IXOS.@.....@AiGY.@.....@.....@.....@.....@.....@......&.{F4D6B0DD-2932-436A-82C5-1296767ABB90}..Windows Installer..Adobe-Setup.msi.@.....@....@.....@........&.{A509E431-2CD2-476D-A0C7-B01FC235F124}.....@.....@.....@.....@.......@.....@.....@.......@......Windows Installer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{AA0FBF6B-45F7-443D-8835-BDF4F3E57D47}D.C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe.@.......@.....@.....@......&.{BA0FBF6B-45F7-443F-8835-BDF4F3E57D48}1.C:\Users\user\AppData\Local\gVCgHiMSMMBE\hid.dll.@.......@.....@.....@......&.{CA0FBF6B-45F7-443F-8835-BDF4F3E57D48}5.C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDevice.dat.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.~&..@.....@......*.C:\Users\user\AppData\Local\gVCgHiMSMMBE\....1\......Please

                                                          C:\Windows\Installer\SourceHash{F4D6B0DD-2932-436A-82C5-1296767ABB90}

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.1634896212564743
                                                          Encrypted:false
                                                          SSDEEP:12:JSbX72Fj+AGiLIlHVRpih/7777777777777777777777777vDHF6zFxl0i8Q:JoQI5yvF
                                                          MD5:CB39FF48C921D8034CDA820FF3E18EFE
                                                          SHA1:8C139D3ED004F87620AAF4B3355021315123FDE5
                                                          SHA-256:B5E3EE50DA9B906CCE909D38AEE64985764D8DACE5A3B157D8221F6C8F29E4F8
                                                          SHA-512:C7D8F044257B1193BDD5CA83EEE9DD61FC9F82EDC1D30415ADF79F08FBBAA830B138C12CA8B5D798C1154F8D51893A13924C8B9AE13759E3C26438ECEE8533C2
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.4220661747532293
                                                          Encrypted:false
                                                          SSDEEP:24:J/YO38PhSuh3iFip1GE2yza2tzKAMBHoZagUMClXt+Yq+kAdipV7V2BwGUlrkgTv:lR8PhSuRc06WXJWjT5nqUS5oerTSI8k
                                                          MD5:E814DC3957219ECADDC1205C9E930866
                                                          SHA1:44F3A171F8B93B0B95CB29D3E1D00B6FD0796441
                                                          SHA-256:EB53511222E7459941EE98BAFD34DFDC8B9A326EB9DD5CD1C4961A0D9CDF9B31
                                                          SHA-512:B3141F87CA39ABAE318564F4885F9D2B27088B05F4BDC03A8EDD60FF1150BCF47D13198495CEBC2A2B5A2535214815499EFDBBC7856B9F659A5D6DA22EAF373E
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):432221
                                                          Entropy (8bit):5.375160408018675
                                                          Encrypted:false
                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauV:zTtbmkExhMJCIpEr8
                                                          MD5:E193BA22B4DE4EC0390EFB3C9B9124C9
                                                          SHA1:A6C6112448C9FA506A2FA19EC3D0BB0E5DEBDEBA
                                                          SHA-256:442B59A0C6FF2E68597F2604E120E8FFA1D6E76AB15D976E0A9469969C222E09
                                                          SHA-512:7C0C0213BB5D2FA9E144830D2A47D4250D033E45C3AEE7F452E9E0683A53646D1FFBEBD7B636439CD42CD5966A9B925FD6E23555B097F89FB145F72340CF7E77
                                                          Malicious:false
                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                          C:\Windows\Temp\~DF13309DE02CD3908A.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF1B7B54C33606A20D.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.4220661747532293
                                                          Encrypted:false
                                                          SSDEEP:24:J/YO38PhSuh3iFip1GE2yza2tzKAMBHoZagUMClXt+Yq+kAdipV7V2BwGUlrkgTv:lR8PhSuRc06WXJWjT5nqUS5oerTSI8k
                                                          MD5:E814DC3957219ECADDC1205C9E930866
                                                          SHA1:44F3A171F8B93B0B95CB29D3E1D00B6FD0796441
                                                          SHA-256:EB53511222E7459941EE98BAFD34DFDC8B9A326EB9DD5CD1C4961A0D9CDF9B31
                                                          SHA-512:B3141F87CA39ABAE318564F4885F9D2B27088B05F4BDC03A8EDD60FF1150BCF47D13198495CEBC2A2B5A2535214815499EFDBBC7856B9F659A5D6DA22EAF373E
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF248847D1B84556BA.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.4220661747532293
                                                          Encrypted:false
                                                          SSDEEP:24:J/YO38PhSuh3iFip1GE2yza2tzKAMBHoZagUMClXt+Yq+kAdipV7V2BwGUlrkgTv:lR8PhSuRc06WXJWjT5nqUS5oerTSI8k
                                                          MD5:E814DC3957219ECADDC1205C9E930866
                                                          SHA1:44F3A171F8B93B0B95CB29D3E1D00B6FD0796441
                                                          SHA-256:EB53511222E7459941EE98BAFD34DFDC8B9A326EB9DD5CD1C4961A0D9CDF9B31
                                                          SHA-512:B3141F87CA39ABAE318564F4885F9D2B27088B05F4BDC03A8EDD60FF1150BCF47D13198495CEBC2A2B5A2535214815499EFDBBC7856B9F659A5D6DA22EAF373E
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF3ED6BB1E3153DF31.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.1502738123219673
                                                          Encrypted:false
                                                          SSDEEP:24:JHYh+3wm6uxIiEipKP2xza2tzhALZZagUMClXtdoYq+kAdipV7V2BwGUlrkgTip0:Vnb6uqJveFXJxT5HqUS5oerTSI8k
                                                          MD5:04448DF3A05252993B1F50DA76763114
                                                          SHA1:6CDB3B3131B938230EB298B8AEB4531F1ABCE794
                                                          SHA-256:78897C14803F4E60112B0474F8A3EE796E9BC131F2EED2A0A09541986A89EE06
                                                          SHA-512:99DFD22B1B9A19EF90B2782E8FC6F0B10B951B1103B49F476B4C08B5100C22481628BBD5B7440722EE5F3D01F7D7531E8A1D1822BBD0F4A240E2BFFD5C757F96
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF49E8D0CAD87935AC.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):0.07167699175935253
                                                          Encrypted:false
                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO6RR9UUraVky6lhX:2F0i8n0itFzDHF6zFx
                                                          MD5:5FF8D7CC0EAC22970000853A92FC7D80
                                                          SHA1:35C89C8670D2467C45AE73777BD86AAD680BCDAE
                                                          SHA-256:9C71948DDAD2D0C382891EF2A2B76A7DAA38BE177781F9B32D2E8B74819D146D
                                                          SHA-512:0E3B0395D200CB52254F8C1284D0446BC7E545215DA283319502F25FA0744550FF5414517769862DF98F84F36BFA5DA197C0907AEDAB65BB489E877DB9F8CEDC
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF55BE266166BFF487.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.1502738123219673
                                                          Encrypted:false
                                                          SSDEEP:24:JHYh+3wm6uxIiEipKP2xza2tzhALZZagUMClXtdoYq+kAdipV7V2BwGUlrkgTip0:Vnb6uqJveFXJxT5HqUS5oerTSI8k
                                                          MD5:04448DF3A05252993B1F50DA76763114
                                                          SHA1:6CDB3B3131B938230EB298B8AEB4531F1ABCE794
                                                          SHA-256:78897C14803F4E60112B0474F8A3EE796E9BC131F2EED2A0A09541986A89EE06
                                                          SHA-512:99DFD22B1B9A19EF90B2782E8FC6F0B10B951B1103B49F476B4C08B5100C22481628BBD5B7440722EE5F3D01F7D7531E8A1D1822BBD0F4A240E2BFFD5C757F96
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF7562E9697A5767F4.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF775CEE8E95BC32B0.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF903135700F6CEA34.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF9B5173F9AFF02972.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFA0D73703F2E63F02.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):0.08704707345723667
                                                          Encrypted:false
                                                          SSDEEP:12:pO3rIDWG2KLBKyipVWliipVGoVjiRmFJIiWlIC1nn2tpk2sEsA5G6nCguQk+kDWI:wrSp8yipVvipV7V2BwGUlrkgfk+k2
                                                          MD5:512750EBD1BA4C2BA2B75DE6A67FD755
                                                          SHA1:C4D142B1BA27B1D62F9897B41DABD60E0A2AE624
                                                          SHA-256:B03FA45F58B00990D1E3125DCAE8CB9D2B14852411E54F26297E339378C02E37
                                                          SHA-512:A5C9C2841BA7B8E864A5A76E473F36970BFC9071998A870EA99238927AC9026928BE272AE6F0B4B9AB29A3B553684C43788AB6620EFB7CB5DDDB2B168284F5CB
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFB8060E370B9496C2.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.1502738123219673
                                                          Encrypted:false
                                                          SSDEEP:24:JHYh+3wm6uxIiEipKP2xza2tzhALZZagUMClXtdoYq+kAdipV7V2BwGUlrkgTip0:Vnb6uqJveFXJxT5HqUS5oerTSI8k
                                                          MD5:04448DF3A05252993B1F50DA76763114
                                                          SHA1:6CDB3B3131B938230EB298B8AEB4531F1ABCE794
                                                          SHA-256:78897C14803F4E60112B0474F8A3EE796E9BC131F2EED2A0A09541986A89EE06
                                                          SHA-512:99DFD22B1B9A19EF90B2782E8FC6F0B10B951B1103B49F476B4C08B5100C22481628BBD5B7440722EE5F3D01F7D7531E8A1D1822BBD0F4A240E2BFFD5C757F96
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Windows Installer, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Windows Installer., Template: Intel;1033, Revision Number: {A509E431-2CD2-476D-A0C7-B01FC235F124}, Create Time/Date: Fri Aug 16 11:25:12 2024, Last Saved Time/Date: Fri Aug 16 11:25:12 2024, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                          Entropy (8bit):7.9692116475212735
                                                          TrID:
                                                          • Microsoft Windows Installer (60509/1) 88.31%
                                                          • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                                          File name:Adobe-Setup.msi
                                                          File size:1'114'112 bytes
                                                          MD5:efef047506a403740c439b2f071e3901
                                                          SHA1:a938f60b6f5b645d81e6a5f41fdf16f9610db8e6
                                                          SHA256:c25b566d99d55fe5cb1a19290748dac70845663fe0f8bf78f741fe4440055551
                                                          SHA512:98bd68d4c1b4ab333fe07946c56095449ad33e8e65f8a6e12ea710a09ba908af6023edfe8e7ade550b61ef7fcbfcbdc328f1f94bdaee143231fbdae89fdea0d9
                                                          SSDEEP:24576:JXZFaDUZ09brk4FtSVUJY+FidKagAB8Xk9X6uTXgL3XojPwOXQ+ZjdeHVdiYe6Pr:JXKDUC9brNYVUS+FiUag08056t4DO+p5
                                                          TLSH:B53533025C422179F2B68370819C7B99AD7ADCE5CE532E44A403FA7F2D395E636D63C2
                                                          File Content Preview:........................>......................................................................................................................................................................................................................................

                                                          File Icon

                                                          Icon Hash:2d2e3797b32b2b99

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 7, 2024 19:10:13.905536890 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:13.905597925 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:13.905672073 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:13.908855915 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:13.908891916 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:16.758271933 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:16.806967974 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:16.806994915 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:16.812235117 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:16.812261105 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:17.240219116 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:17.291371107 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:18.886651039 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:18.886737108 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:19.295278072 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:19.310708046 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:19.310708046 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:19.310750008 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:19.310765028 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:19.671286106 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:19.713349104 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:24.687987089 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:24.688024998 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:24.688040018 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:24.688049078 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:25.034861088 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:25.088355064 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:30.047405958 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:30.047405958 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:30.047488928 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:30.047522068 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:30.719132900 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:30.760227919 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:35.735035896 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:35.735126972 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:35.735162020 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:35.735179901 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:36.406140089 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:36.447707891 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:41.427865028 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:41.427865028 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:41.427956104 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:41.427994013 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:42.106707096 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:42.150974989 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:47.133200884 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:47.133200884 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:47.133270979 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:47.133290052 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:47.786340952 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:47.838346004 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:52.796571970 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:52.796607018 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:52.796619892 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:52.796628952 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:53.468252897 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:53.510205984 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:58.485872030 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:58.485961914 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:58.485999107 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:10:58.486018896 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:59.163315058 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:10:59.213386059 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:04.186168909 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:04.186259985 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:04.186320066 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:04.186341047 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:04.546158075 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:04.588429928 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:09.564642906 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:09.564642906 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:09.564683914 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:09.564699888 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:10.133414984 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:10.182166100 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:15.155221939 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:15.155221939 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:15.155256033 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:15.155272007 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:15.727350950 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:15.775912046 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:20.800945044 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:20.801163912 CEST44349734103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:20.801189899 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:20.801222086 CEST49734443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:20.801225901 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:20.801280975 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:20.801454067 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:20.801470041 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:22.708528042 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:22.708585024 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:22.711716890 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:22.711728096 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:23.292313099 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:23.338397980 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:23.349922895 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:23.349939108 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:23.349960089 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:23.349967957 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:24.009469986 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:24.057229996 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:29.251827955 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:29.251985073 CEST44349875103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:29.252032995 CEST49875443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:29.252603054 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:29.252655029 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:29.252707958 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:29.253843069 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:29.253871918 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:31.204372883 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:31.204431057 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:31.207762003 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:31.207772017 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:31.555732965 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:31.604063988 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:32.913944960 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:32.913964033 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:32.913975954 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:32.913983107 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:33.847078085 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:33.902401924 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:38.860296965 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:38.860430002 CEST44349924103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:38.860476017 CEST49924443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:38.860616922 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:38.860656977 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:38.860719919 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:38.860934973 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:38.860944986 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:41.039124966 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:41.039226055 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:41.042557955 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:41.042582989 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:41.432770967 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:41.479162931 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:42.590780020 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:42.590820074 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:42.590842962 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:42.590853930 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:42.988090992 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:43.041567087 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:46.432785034 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:46.432934999 CEST44349979103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:46.435308933 CEST49979443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:48.059117079 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:48.059164047 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:48.059381008 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:48.059706926 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:48.059725046 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:50.207268953 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:50.260919094 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:50.261003017 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:50.265510082 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:50.265559912 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:50.692692995 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:50.744733095 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:51.897797108 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:51.897833109 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:51.897849083 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:51.897856951 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:52.233392954 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:52.276240110 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:57.268394947 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:57.268537998 CEST44350015103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:57.268584967 CEST50015443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:57.268640995 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:57.268680096 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:57.268732071 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:57.269013882 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:57.269025087 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:59.494240046 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:59.541680098 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:59.541708946 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:59.544240952 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:11:59.544258118 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:11:59.977750063 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:00.026361942 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:01.241573095 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:01.241602898 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:01.241615057 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:01.241622925 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:02.192095041 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:02.246910095 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:07.281991959 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:07.282150030 CEST44350017103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:07.282195091 CEST50017443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:07.282377005 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:07.282439947 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:07.282510996 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:07.282866955 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:07.282882929 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:09.340401888 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:09.385395050 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:09.385430098 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:09.388025999 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:09.388044119 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:09.816458941 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:09.870244026 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:11.209760904 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:11.209760904 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:11.209844112 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:11.209877014 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:12.660868883 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:12.713540077 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:17.673089027 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:17.673253059 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:17.673294067 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:17.673381090 CEST44350019103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:17.673566103 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:17.673578978 CEST50019443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:17.673829079 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:17.673841000 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:19.851430893 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:19.904249907 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:19.904270887 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:19.914133072 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:19.914160013 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:20.323760986 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:20.385442019 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:21.624675035 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:21.624715090 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:21.624723911 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:21.624731064 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:21.985205889 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:22.026093006 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:23.526294947 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:23.526485920 CEST44350021103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:23.526544094 CEST50021443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:27.040699959 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:27.040795088 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:27.040874958 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:27.041240931 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:27.041277885 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:29.264149904 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:29.264261961 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:29.266499996 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:29.266519070 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:29.643337965 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:29.697983027 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:31.233395100 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:31.233455896 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:31.233484030 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:31.233496904 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:31.858165979 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:31.903438091 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:36.892154932 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:36.892529011 CEST44350023103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:36.892570019 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:36.892621994 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:36.892679930 CEST50023443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:36.892714977 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:36.892935038 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:36.892950058 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:39.213066101 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:39.262247086 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:39.262291908 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:39.266493082 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:39.266529083 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:39.670686960 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:39.731226921 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:40.954454899 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:40.954487085 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:40.954502106 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:40.954509974 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:41.300466061 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:41.354219913 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:44.635679007 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:44.635967970 CEST44350025103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:44.636044979 CEST50025443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:46.334702969 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:46.334774971 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:46.334858894 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:46.335064888 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:46.335082054 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:49.437751055 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:49.479243994 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:49.479266882 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:49.484767914 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:49.484786034 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:49.894555092 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:49.948055983 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:51.013098001 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:51.013133049 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:51.013147116 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:51.013153076 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:51.654928923 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:51.698038101 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:56.684819937 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:56.685048103 CEST44350027103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:56.685117960 CEST50027443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:56.685242891 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:56.685338974 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:56.685489893 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:56.685697079 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:56.685731888 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:58.903574944 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:58.903637886 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:58.906478882 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:12:58.906507969 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:59.254658937 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:12:59.307413101 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:00.475719929 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:00.475749969 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:00.475773096 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:00.475780010 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:00.815265894 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:00.869946957 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:05.832638979 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:05.832969904 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:05.833003044 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:05.833096981 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:05.833264112 CEST44350029103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:05.833336115 CEST50029443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:05.833348036 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:05.833358049 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:07.977318048 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:07.981421947 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:07.984402895 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:07.984409094 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:08.325491905 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:08.371769905 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:09.732405901 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:09.732405901 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:09.732428074 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:09.732441902 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:10.357827902 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:10.479320049 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:15.468842030 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:15.468988895 CEST44350031103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:15.469049931 CEST50031443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:15.469228029 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:15.469306946 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:15.469393015 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:15.469589949 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:15.469624043 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:17.558109999 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:17.604343891 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:17.604376078 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:17.636399984 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:17.636490107 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:18.034970999 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:18.088716030 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:19.340884924 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:19.340960979 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:19.340996981 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:19.341023922 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:20.141094923 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:20.182477951 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:22.323492050 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:22.323847055 CEST44350033103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:22.323908091 CEST50033443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:25.170857906 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:25.170936108 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:25.171700954 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:25.175117016 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:25.175153017 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:27.428128958 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:27.479346991 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:27.479363918 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:27.482769012 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:27.482780933 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:27.911274910 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:27.963737011 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:29.213084936 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:29.213085890 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:29.213150024 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:29.213181019 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:29.797198057 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:29.838721037 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:34.913676023 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:34.913862944 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:34.913865089 CEST44350035103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:34.913903952 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:34.916409016 CEST50035443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:34.916414976 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:34.918215036 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:34.918231010 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:37.100303888 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:37.168358088 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:37.168380022 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:37.171315908 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:37.171338081 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:37.535473108 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:37.588957071 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:38.662244081 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:38.662244081 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:38.662271023 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:38.662282944 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:39.313057899 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:39.356426001 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:43.435425043 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:43.435792923 CEST44350037103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:43.436652899 CEST50037443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:44.330178976 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:44.330230951 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:44.330295086 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:44.330666065 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:44.330682039 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:47.421598911 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:47.463795900 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:47.463841915 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:47.469000101 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:47.469037056 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:48.127343893 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:48.182522058 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:49.349957943 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:49.349958897 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:49.349992990 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:49.350004911 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:49.686647892 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:49.729424000 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:54.704705000 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:54.704874039 CEST44350039103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:54.704924107 CEST50039443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:54.705180883 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:54.705224991 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:54.705284119 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:54.705602884 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:54.705616951 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:56.854686022 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:56.854805946 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:56.856945038 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:56.856956959 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:57.224853039 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:57.276294947 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:58.216937065 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:58.216953993 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:58.216983080 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:13:58.216989994 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:58.562793970 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:13:58.604494095 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:03.802606106 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:03.803051949 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:03.803090096 CEST44350041103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:03.803103924 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:03.803179979 CEST50041443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:03.803283930 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:03.803873062 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:03.803889036 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:06.102258921 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:06.151365995 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:06.151400089 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:06.201729059 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:06.649842024 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:06.649854898 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:07.017888069 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:07.073218107 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:08.098027945 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:08.098048925 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:08.098153114 CEST50043443192.168.2.4103.238.227.183
                                                          Oct 7, 2024 19:14:08.098157883 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:08.689799070 CEST44350043103.238.227.183192.168.2.4
                                                          Oct 7, 2024 19:14:08.885684967 CEST50043443192.168.2.4103.238.227.183

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 7, 2024 19:13:57.466025114 CEST1.1.1.1192.168.2.40x1abbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                          Oct 7, 2024 19:13:57.466025114 CEST1.1.1.1192.168.2.40x1abbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:13:10:00
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\System32\msiexec.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Adobe-Setup.msi"
                                                          Imagebase:0x7ff782960000
                                                          File size:69'632 bytes
                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:13:10:01
                                                          Start date:07/10/2024
                                                          Path:C:\Windows\System32\msiexec.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                          Imagebase:0x7ff782960000
                                                          File size:69'632 bytes
                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:2
                                                          Start time:13:10:02
                                                          Start date:07/10/2024
                                                          Path:C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\gVCgHiMSMMBE\LDeviceDetectionHelper.exe
                                                          Imagebase:0x8f0000
                                                          File size:1'775'384 bytes
                                                          MD5 hash:084FE5E54DBF4D7287B48C5695D02D17
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Korplug, Description: Yara detected Korplug, Source: 00000002.00000002.1784376779.0000000002E2A000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:13:10:09
                                                          Start date:07/10/2024
                                                          Path:C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe 979 576
                                                          Imagebase:0xca0000
                                                          File size:1'775'384 bytes
                                                          MD5 hash:084FE5E54DBF4D7287B48C5695D02D17
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:13:10:15
                                                          Start date:07/10/2024
                                                          Path:C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904
                                                          Imagebase:0xca0000
                                                          File size:1'775'384 bytes
                                                          MD5 hash:084FE5E54DBF4D7287B48C5695D02D17
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:13:10:24
                                                          Start date:07/10/2024
                                                          Path:C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\ProgramData\SecurityScan\LDeviceDetectionHelper.exe" 890 904
                                                          Imagebase:0xca0000
                                                          File size:1'775'384 bytes
                                                          MD5 hash:084FE5E54DBF4D7287B48C5695D02D17
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:3.1%
                                                            Dynamic/Decrypted Code Coverage:5.2%
                                                            Signature Coverage:4.3%
                                                            Total number of Nodes:1480
                                                            Total number of Limit Nodes:132
                                                            execution_graph 107195 10013732 107198 100136c4 107195->107198 107197 10013741 107199 100136db 107198->107199 107214 1000a183 107199->107214 107203 100136f6 107228 1000dbd4 107203->107228 107273 1000962b 107214->107273 107216 1000a1a1 107278 1000951f 107216->107278 107220 1000a1b3 107221 1000cbeb 107220->107221 107373 10009c62 107221->107373 107223 1000cc00 107224 1000cc12 107223->107224 107386 10009c9c GetLastError exit strlen fwrite fflush 107223->107386 107376 10009d9f GetProcAddress 107224->107376 107229 10009c62 LoadLibraryA 107228->107229 107230 1000dbe9 107229->107230 107231 1000dbfb 107230->107231 107390 10009c9c GetLastError exit strlen fwrite fflush 107230->107390 107233 10009d9f 7 API calls 107231->107233 107234 1000dc20 107233->107234 107235 1000ed1a 107234->107235 107236 10009c62 LoadLibraryA 107235->107236 107237 1000ed2f 107236->107237 107239 1000ed41 107237->107239 107391 10009c9c GetLastError exit strlen fwrite fflush 107237->107391 107240 10009d9f 7 API calls 107239->107240 107241 1000ed66 107240->107241 107242 10009d9f 7 API calls 107241->107242 107243 1000ed81 107242->107243 107244 10009d9f 7 API calls 107243->107244 107245 1000ed9c 107244->107245 107246 1000fcea 107245->107246 107247 10009c62 LoadLibraryA 107246->107247 107248 1000fcff 107247->107248 107249 1000fd11 107248->107249 107392 10009c9c GetLastError exit strlen fwrite fflush 107248->107392 107251 10009d9f 7 API calls 107249->107251 107252 1000fd36 107251->107252 107253 100101f6 107252->107253 107254 10009c62 LoadLibraryA 107253->107254 107255 10010242 107254->107255 107256 10010254 107255->107256 107393 10009c9c GetLastError exit strlen fwrite fflush 107255->107393 107258 10009d9f 7 API calls 107256->107258 107259 10010279 107258->107259 107260 1001369a 107259->107260 107394 10003118 6 API calls 107260->107394 107262 100136a9 107395 1000cb88 107262->107395 107266 100136b3 107403 1000d9b8 exit strlen fwrite fflush 107266->107403 107268 100136b8 107404 1000dfa7 28 API calls 107268->107404 107270 100136bd 107405 10010b6e memmove 107270->107405 107272 100136c2 107272->107197 107274 10009647 107273->107274 107275 1000964c 107273->107275 107292 1000ac70 strlen fwrite fflush 107274->107292 107275->107216 107277 10009688 exit 107277->107275 107293 1000474b 107278->107293 107281 1000474b 8 API calls 107282 100095a6 107281->107282 107283 1000474b 8 API calls 107282->107283 107284 100095ba 107283->107284 107296 10004791 107284->107296 107287 1000474b 8 API calls 107288 100095dc 107287->107288 107299 1000c22e 107288->107299 107291 100097a1 signal signal signal signal signal 107291->107220 107292->107277 107303 1000471f 107293->107303 107297 1000471f 8 API calls 107296->107297 107298 100047ae 107297->107298 107298->107287 107300 1000c253 107299->107300 107301 100095f8 107300->107301 107372 10009505 27 API calls 107300->107372 107301->107291 107306 100046e5 107303->107306 107311 10004688 107306->107311 107308 10004704 107314 1000ad9c 107308->107314 107317 100043e8 107311->107317 107313 100046aa 107313->107308 107368 1000ad7a 107314->107368 107318 10004409 107317->107318 107319 10004423 107318->107319 107320 1000441e 107318->107320 107327 10004450 107319->107327 107345 1000401f 8 API calls 107319->107345 107321 100045c3 107320->107321 107324 100045be 107320->107324 107346 10004051 6 API calls 107321->107346 107329 10003e99 107324->107329 107326 100045d0 107347 100042d4 6 API calls 107326->107347 107327->107313 107330 10003ed2 107329->107330 107331 10003efd 107330->107331 107335 10003ef8 107330->107335 107332 10003f11 107331->107332 107333 10003f0c 107331->107333 107348 100036c9 107332->107348 107337 100036c9 7 API calls 107333->107337 107340 10003d75 7 API calls 107335->107340 107341 10003f37 107335->107341 107336 10003f20 107360 10003d75 107336->107360 107339 10003f4c 107337->107339 107339->107341 107342 10003d75 7 API calls 107339->107342 107340->107341 107365 10003b29 107341->107365 107342->107341 107345->107327 107346->107326 107347->107327 107354 100036f0 107348->107354 107349 10003813 107352 1000ad27 VirtualAlloc 107349->107352 107350 10003818 107351 1000acdc exit strlen fwrite fflush VirtualAlloc 107350->107351 107356 10003829 107351->107356 107353 10003853 107352->107353 107355 1000acdc exit strlen fwrite fflush VirtualAlloc 107353->107355 107357 1000386b 107353->107357 107354->107349 107354->107350 107355->107357 107358 10003447 6 API calls 107356->107358 107357->107356 107359 100038e3 107358->107359 107359->107336 107361 10003b9e 6 API calls 107360->107361 107362 10003d90 107361->107362 107363 10003c62 memmove memset 107362->107363 107364 10003da3 107363->107364 107364->107341 107366 10003a92 6 API calls 107365->107366 107367 10003b47 107366->107367 107367->107326 107371 1000c3ef memset 107368->107371 107370 10004717 107370->107281 107371->107370 107372->107301 107387 1000bf98 107373->107387 107377 10009dd2 107376->107377 107378 10009dcd 107376->107378 107377->107203 107379 1000ad7a memset 107378->107379 107382 10009de9 107379->107382 107380 10009ea9 107389 10009d3f exit strlen fwrite fflush 107380->107389 107382->107380 107383 10009fc6 107382->107383 107383->107382 107384 10009fd0 GetProcAddress 107383->107384 107384->107383 107385 10009ff4 107384->107385 107385->107377 107386->107224 107388 10009c85 LoadLibraryA 107387->107388 107388->107223 107389->107377 107390->107231 107391->107239 107392->107249 107393->107256 107394->107262 107396 1000cba3 107395->107396 107406 1000ca80 107395->107406 107398 1000cbc0 107396->107398 107399 1000cbbb 107396->107399 107409 1000caba GetProcAddress 107398->107409 107402 1000ccec exit strlen fwrite fflush 107399->107402 107401 1000cbda 107401->107399 107402->107266 107403->107268 107404->107270 107405->107272 107410 1000caef 107406->107410 107409->107401 107411 1000caa3 LoadLibraryA 107410->107411 107411->107396 107412 10014944 107413 1001495f 107412->107413 107415 10013762 107412->107415 107416 10013778 NimMain 107415->107416 107417 1001377d 107415->107417 107416->107417 107417->107413 107418 4e5fdc2 107421 4e5fdce __DllMainCRTStartup@12 107418->107421 107419 4e5fdd7 107421->107419 107422 4e5fd12 107421->107422 107426 4e5caa6 107422->107426 107424 4e5fd24 107425 4e5fd80 _free 107424->107425 107425->107421 107429 4e5cab3 107426->107429 107427 4e5cade RtlAllocateHeap 107428 4e5caf1 107427->107428 107427->107429 107428->107424 107429->107427 107429->107428 107430 96aece 107431 96aeda __getstream 107430->107431 107467 971d3c GetStartupInfoW 107431->107467 107434 96aedf 107469 974f44 GetProcessHeap 107434->107469 107435 96af37 107436 96af42 107435->107436 107554 96b01e 68 API calls 3 library calls 107435->107554 107470 974eb1 107436->107470 107439 96af48 107440 96af53 __RTC_Initialize 107439->107440 107555 96b01e 68 API calls 3 library calls 107439->107555 107491 974f59 107440->107491 107443 96af62 107444 96af6e GetCommandLineW 107443->107444 107556 96b01e 68 API calls 3 library calls 107443->107556 107510 975649 GetEnvironmentStringsW 107444->107510 107447 96af6d 107447->107444 107451 96af93 107523 975440 107451->107523 107454 96af99 107455 96afa4 107454->107455 107558 96b147 68 API calls 3 library calls 107454->107558 107537 96b181 107455->107537 107458 96afac 107459 96afb7 __wwincmdln 107458->107459 107559 96b147 68 API calls 3 library calls 107458->107559 107543 8f1a70 LoadStringW LoadStringW 107459->107543 107463 96afda 107561 96b172 68 API calls _doexit 107463->107561 107466 96afdf __getstream 107468 971d52 107467->107468 107468->107434 107469->107435 107562 96b226 32 API calls 2 library calls 107470->107562 107472 974eb6 107563 96fbfa InitializeCriticalSectionAndSpinCount 107472->107563 107474 974ebb 107475 974ebf 107474->107475 107565 971c5c TlsAlloc 107474->107565 107564 974f27 TlsFree __mtterm 107475->107564 107479 974ed1 107479->107475 107480 974edc 107479->107480 107566 9704f4 107480->107566 107483 974f1e 107574 974f27 TlsFree __mtterm 107483->107574 107486 974efd 107486->107483 107488 974f03 107486->107488 107573 974dfe 68 API calls 4 library calls 107488->107573 107490 974f0b GetCurrentThreadId 107490->107439 107492 974f65 __getstream 107491->107492 107585 96facb 107492->107585 107494 974f6c 107495 9704f4 __calloc_crt 68 API calls 107494->107495 107496 974f7d 107495->107496 107497 974fe8 GetStartupInfoW 107496->107497 107498 974f88 @_EH4_CallFilterFunc@8 __getstream 107496->107498 107501 975126 107497->107501 107502 974ffd 107497->107502 107498->107443 107499 9751ea 107592 9751fe LeaveCriticalSection _doexit 107499->107592 107501->107499 107503 97516f GetStdHandle 107501->107503 107505 975181 GetFileType 107501->107505 107507 9751ae InitializeCriticalSectionAndSpinCount 107501->107507 107502->107501 107504 9704f4 __calloc_crt 68 API calls 107502->107504 107506 97504b 107502->107506 107503->107501 107504->107502 107505->107501 107506->107501 107508 97507d GetFileType 107506->107508 107509 97508b InitializeCriticalSectionAndSpinCount 107506->107509 107507->107501 107508->107506 107508->107509 107509->107506 107511 96af7e 107510->107511 107512 97565a 107510->107512 107517 975207 GetModuleFileNameW 107511->107517 107595 97053e 68 API calls _malloc 107512->107595 107515 975696 FreeEnvironmentStringsW 107515->107511 107516 975680 _memmove 107516->107515 107518 97523b _wparse_cmdline 107517->107518 107519 96af88 107518->107519 107520 975275 107518->107520 107519->107451 107557 96b147 68 API calls 3 library calls 107519->107557 107596 97053e 68 API calls _malloc 107520->107596 107522 97527b _wparse_cmdline 107522->107519 107524 975459 _GetLcidFromCountry 107523->107524 107528 975451 107523->107528 107525 9704f4 __calloc_crt 68 API calls 107524->107525 107533 975482 _GetLcidFromCountry 107525->107533 107526 9754d9 107598 96b5f0 68 API calls 2 library calls 107526->107598 107528->107454 107529 9704f4 __calloc_crt 68 API calls 107529->107533 107530 9754fe 107599 96b5f0 68 API calls 2 library calls 107530->107599 107533->107526 107533->107528 107533->107529 107533->107530 107534 975515 107533->107534 107597 9824a1 68 API calls __wcstombs_s_l 107533->107597 107600 973df5 8 API calls 2 library calls 107534->107600 107536 975521 107536->107454 107539 96b18d __IsNonwritableInCurrentImage 107537->107539 107601 975841 107539->107601 107540 96b1ab __initterm_e 107542 96b1cc __IsNonwritableInCurrentImage 107540->107542 107604 96a83f 78 API calls __cinit 107540->107604 107542->107458 107605 8f1b30 LoadIconW LoadCursorW LoadIconW RegisterClassExW 107543->107605 107546 8f1b1c 107546->107463 107560 96b3dd 68 API calls _doexit 107546->107560 107547 8f1ad8 UpdateWindow LoadAcceleratorsW 107608 8f1150 107547->107608 107551 8f1b08 107552 8f1b0c ExitProcess 107551->107552 107553 8f1b14 ExitProcess 107551->107553 107554->107436 107555->107440 107556->107447 107560->107463 107561->107466 107562->107472 107563->107474 107565->107479 107568 9704fb 107566->107568 107569 970538 107568->107569 107570 970519 Sleep 107568->107570 107575 97dc3c 107568->107575 107569->107483 107572 971cb8 TlsSetValue 107569->107572 107571 970530 107570->107571 107571->107568 107571->107569 107572->107486 107573->107490 107576 97dc47 107575->107576 107577 97dc62 107575->107577 107576->107577 107578 97dc53 107576->107578 107579 97dc72 HeapAlloc 107577->107579 107581 97dc58 107577->107581 107584 974165 DecodePointer 107577->107584 107583 96c883 68 API calls __getptd_noexit 107578->107583 107579->107577 107579->107581 107581->107568 107583->107581 107584->107577 107586 96faef EnterCriticalSection 107585->107586 107587 96fadc 107585->107587 107586->107494 107593 96fb53 68 API calls 9 library calls 107587->107593 107589 96fae2 107589->107586 107594 96b147 68 API calls 3 library calls 107589->107594 107592->107498 107593->107589 107595->107516 107596->107522 107597->107533 107598->107528 107599->107528 107600->107536 107602 975844 EncodePointer 107601->107602 107602->107602 107603 97585e 107602->107603 107603->107540 107604->107542 107621 96a63b 107605->107621 107607 8f1aa2 CreateWindowExW 107607->107546 107607->107547 107629 925530 107608->107629 107612 8f11a2 107616 8f128f 107612->107616 107619 8f1256 107612->107619 107642 8f18b0 69 API calls 107612->107642 107613 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 107615 8f128b 107613->107615 107620 8f12a0 108 API calls 2 library calls 107615->107620 107643 969369 69 API calls 2 library calls 107616->107643 107618 8f1299 107619->107613 107620->107551 107622 96a645 IsProcessorFeaturePresent 107621->107622 107623 96a643 107621->107623 107625 96ccb8 107622->107625 107623->107607 107628 96cc67 5 API calls ___raise_securityfailure 107625->107628 107627 96cd9b 107627->107607 107628->107627 107630 92553c 107629->107630 107632 925541 107629->107632 107644 925200 OutputDebugStringA OutputDebugStringA OutputDebugStringA RegOpenKeyExA 107630->107644 107634 8f118a 107632->107634 107680 925440 115 API calls 3 library calls 107632->107680 107635 8f32b0 107634->107635 107636 925530 115 API calls 107635->107636 107637 8f32f2 107636->107637 107730 8f2a00 107637->107730 107639 8f3311 107640 8f332b 107639->107640 107747 926a80 107639->107747 107640->107612 107642->107612 107643->107618 107645 9252a3 RegQueryValueExA 107644->107645 107646 925251 107644->107646 107647 9252f1 107645->107647 107648 9252e1 107645->107648 107681 925570 107646->107681 107651 925570 99 API calls 107647->107651 107650 925334 RegQueryValueExA 107648->107650 107654 925357 107650->107654 107655 925364 107650->107655 107653 925308 107651->107653 107661 92532b OutputDebugStringA 107653->107661 107667 925530 103 API calls 107653->107667 107657 9253aa RegQueryValueExA 107654->107657 107659 925570 99 API calls 107655->107659 107656 92528b OutputDebugStringA 107660 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 107656->107660 107665 9253db 107657->107665 107666 9253ce 107657->107666 107658 925530 103 API calls 107662 925287 107658->107662 107663 92537b 107659->107663 107664 92529f 107660->107664 107661->107650 107662->107656 107668 9253a1 OutputDebugStringA 107663->107668 107673 925530 103 API calls 107663->107673 107664->107632 107670 925570 99 API calls 107665->107670 107669 925421 RegCloseKey 107666->107669 107671 925327 107667->107671 107668->107657 107672 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 107669->107672 107677 9253f2 107670->107677 107671->107661 107674 925438 107672->107674 107675 92539d 107673->107675 107674->107632 107675->107668 107676 925418 OutputDebugStringA 107676->107669 107677->107676 107678 925530 103 API calls 107677->107678 107679 925414 107678->107679 107679->107676 107680->107634 107684 96b83f 107681->107684 107687 96b85d 107684->107687 107686 925268 107686->107656 107686->107658 107688 96b867 107687->107688 107689 96b87c 107687->107689 107718 96c883 68 API calls __getptd_noexit 107688->107718 107692 96b88d 107689->107692 107693 96b8b0 107689->107693 107691 96b86c 107719 973de5 9 API calls __wcstombs_s_l 107691->107719 107717 96b896 107692->107717 107728 96c883 68 API calls __getptd_noexit 107692->107728 107720 96c883 68 API calls __getptd_noexit 107693->107720 107696 96b938 107729 973de5 9 API calls __wcstombs_s_l 107696->107729 107698 96b877 107698->107686 107699 96b8b5 107701 96b8c2 107699->107701 107702 96b8ee 107699->107702 107721 96b777 99 API calls 2 library calls 107701->107721 107724 96b777 99 API calls 2 library calls 107702->107724 107705 96b8ff 107707 96b927 107705->107707 107709 96b911 107705->107709 107706 96b8d3 107706->107707 107708 96b8db 107706->107708 107707->107717 107727 96c883 68 API calls __getptd_noexit 107707->107727 107722 96c883 68 API calls __getptd_noexit 107708->107722 107725 96c883 68 API calls __getptd_noexit 107709->107725 107712 96b8e0 107712->107717 107723 96c883 68 API calls __getptd_noexit 107712->107723 107713 96b916 107713->107717 107726 96c883 68 API calls __getptd_noexit 107713->107726 107717->107686 107718->107691 107719->107698 107720->107699 107721->107706 107722->107712 107723->107717 107724->107705 107725->107713 107726->107717 107727->107696 107728->107696 107729->107717 107769 96963d 107730->107769 107733 8f2a68 107734 8f2b0d 107733->107734 107735 8f2a7a 107733->107735 107738 925530 115 API calls 107734->107738 107741 8f2b37 __Mtx_unlock 107734->107741 107737 925530 115 API calls 107735->107737 107742 8f2a86 __Mtx_unlock 107737->107742 107739 8f2b2b 107738->107739 107774 8f3bc0 117 API calls Concurrency::details::GlobalNode::Initialize 107739->107774 107746 8f2bb1 107741->107746 107775 969687 69 API calls std::_Throw_Cpp_error 107741->107775 107743 8f2af3 107742->107743 107773 969687 69 API calls std::_Throw_Cpp_error 107742->107773 107743->107639 107746->107639 107748 925530 115 API calls 107747->107748 107749 926ad8 107748->107749 107750 925530 115 API calls 107749->107750 107763 926b51 107749->107763 107752 926b0b 107750->107752 107751 926f0a 107756 925530 115 API calls 107751->107756 107861 927a50 107752->107861 107754 926b45 107759 925530 115 API calls 107754->107759 107755 926b1b 107757 925530 115 API calls 107755->107757 107758 926b33 107756->107758 107760 926b27 107757->107760 107762 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 107758->107762 107759->107763 107761 925530 115 API calls 107760->107761 107761->107758 107766 926f82 107762->107766 107763->107751 107764 926f14 107763->107764 107767 929ed0 69 API calls 107763->107767 107891 969369 69 API calls 2 library calls 107764->107891 107766->107640 107767->107763 107776 969436 107769->107776 107772 969687 69 API calls std::_Throw_Cpp_error 107772->107733 107773->107743 107774->107741 107775->107746 107777 969485 107776->107777 107778 96945d GetCurrentThreadId 107776->107778 107779 9694af 107777->107779 107780 969489 GetCurrentThreadId 107777->107780 107781 96946c 107778->107781 107795 96947b 107778->107795 107784 96952e GetCurrentThreadId 107779->107784 107791 9694c7 107779->107791 107782 9694a2 107780->107782 107783 9694aa 107780->107783 107785 96e70d Concurrency::critical_section::lock 175 API calls 107781->107785 107800 96e70d 107782->107800 107787 969580 GetCurrentThreadId 107783->107787 107783->107795 107784->107783 107789 969543 107784->107789 107786 969474 GetCurrentThreadId 107785->107786 107786->107795 107787->107795 107808 96e73b 175 API calls 3 library calls 107789->107808 107805 969f3d GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 107791->107805 107792 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 107794 8f2a5b 107792->107794 107794->107733 107794->107772 107795->107792 107796 9694fd GetCurrentThreadId 107796->107783 107798 9694d2 __Xtime_diff_to_millis2 107796->107798 107798->107783 107798->107795 107798->107796 107806 96e786 175 API calls 7 library calls 107798->107806 107807 969f3d GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 107798->107807 107809 96e056 107800->107809 107804 96e72d Concurrency::critical_section::_Switch_to_active 107804->107783 107805->107798 107806->107798 107807->107798 107808->107783 107824 96e258 107809->107824 107811 96e07d 107812 96e0eb 107811->107812 107832 97fee7 22 API calls 4 library calls 107811->107832 107823 96e442 172 API calls 5 library calls 107812->107823 107814 96e08a 107815 96e08f 107814->107815 107816 96e0a8 107814->107816 107833 97de63 Concurrency::details::ReferenceLoadLibrary ___crtSetThreadpoolTimer Concurrency::details::LockQueueNode::LockQueueNode 107815->107833 107834 970a50 RaiseException CreateTimerQueue std::exception::exception _SpinWait __CxxThrowException@8 107816->107834 107819 96e0b9 CreateTimerQueueTimer 107819->107812 107820 96e09d std::exception::exception 107819->107820 107820->107812 107835 96da4b 107820->107835 107822 96e11e 107823->107804 107825 96e264 107824->107825 107826 96e269 TlsGetValue 107824->107826 107838 97aaa3 107825->107838 107826->107825 107827 96e279 107826->107827 107827->107811 107829 97a468 107846 97a087 107829->107846 107832->107814 107833->107820 107834->107819 107836 96da6c RaiseException 107835->107836 107836->107822 107839 97aaaf Concurrency::details::SchedulerBase::GetDefaultScheduler Concurrency::details::_NonReentrantLock::_Acquire __EH_prolog3 107838->107839 107840 98e33d Concurrency::SchedulerPolicy::SchedulerPolicy 69 API calls 107839->107840 107845 97ab0c Concurrency::details::SchedulerBase::GetDefaultScheduler Concurrency::details::SchedulerBase::GetBitSet 107839->107845 107841 97aade Concurrency::SchedulerPolicy::operator= 107840->107841 107842 97a4a6 Concurrency::details::SchedulerBase::GetDefaultScheduler 98 API calls 107841->107842 107843 97aaff 107842->107843 107844 97b032 Concurrency::details::SchedulerBase::Initialize 123 API calls 107843->107844 107844->107845 107845->107829 107847 97a5e3 Concurrency::details::WorkQueue::UnlockedSteal TlsGetValue 107846->107847 107848 97a096 107847->107848 107849 97a0b6 Concurrency::details::SchedulerBase::CurrentContext 107848->107849 107850 97a0a1 107848->107850 107851 97a0d9 Concurrency::details::SchedulerBase::CurrentContext 107848->107851 107855 97ab33 Concurrency::details::SchedulerBase::GetExternalContext 97 API calls 107849->107855 107852 97a0af 107850->107852 107853 9916e9 Concurrency::details::InternalContextBase::LeaveScheduler 77 API calls 107850->107853 107857 96da4b __CxxThrowException@8 RaiseException 107851->107857 107854 99031a Concurrency::details::InternalContextBase::Dispatch TlsSetValue 107852->107854 107853->107852 107854->107849 107856 97a0c7 107855->107856 107858 990798 Concurrency::details::ContextBase::PushContextToTls TlsSetValue 107856->107858 107859 97a0ef 107857->107859 107860 97a0d1 107858->107860 107860->107811 107862 925530 115 API calls 107861->107862 107863 927a99 107862->107863 107892 8f6890 107863->107892 107868 925530 115 API calls 107869 927b41 107868->107869 107870 8f6890 RaiseException 107869->107870 107871 927b50 107870->107871 107926 92a1f0 116 API calls Concurrency::details::GlobalNode::Initialize 107871->107926 107872 927b65 107874 925530 115 API calls 107872->107874 107875 927c7a 107872->107875 107876 927c54 107874->107876 107899 927de0 107875->107899 107877 8f6890 RaiseException 107876->107877 107879 927c65 107877->107879 107927 92a290 116 API calls Concurrency::details::GlobalNode::Initialize 107879->107927 107880 927d4a 107883 925530 115 API calls 107880->107883 107881 927d5d 107928 92a350 69 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 107881->107928 107888 927d56 107883->107888 107885 927d7b 107886 925530 115 API calls 107885->107886 107886->107888 107887 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 107889 926b17 107887->107889 107888->107887 107889->107754 107889->107755 107891->107751 107929 8f6820 107892->107929 107894 8f68b9 107895 92fb70 107894->107895 107896 92fbc3 107895->107896 107936 94da90 107896->107936 107900 925530 115 API calls 107899->107900 107901 927e23 107900->107901 108002 8f2130 107901->108002 107903 927e45 108018 92c550 107903->108018 107905 927e6a 107906 927e71 107905->107906 107907 927e95 107905->107907 107908 925530 115 API calls 107906->107908 107909 927edd 107907->107909 107911 927ebb 107907->107911 107923 927e88 107908->107923 107910 925530 115 API calls 107909->107910 107912 927ee9 107910->107912 107913 925530 115 API calls 107911->107913 108029 92a350 69 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 107912->108029 107914 927ec7 107913->107914 107917 925530 115 API calls 107914->107917 107915 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 107918 927d46 107915->107918 107917->107923 107918->107880 107918->107881 107919 927fe3 108030 8f2000 107919->108030 107921 928011 107924 925530 115 API calls 107921->107924 107922 925530 115 API calls 107925 927f08 107922->107925 107923->107915 107924->107923 107925->107919 107925->107922 107926->107872 107927->107875 107928->107885 107930 8f6832 Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error 107929->107930 107931 96da4b __CxxThrowException@8 RaiseException 107930->107931 107932 8f6855 107930->107932 107933 8f6886 107931->107933 107932->107894 107934 8f6820 RaiseException 107933->107934 107935 8f68b9 107934->107935 107935->107894 107941 950680 107936->107941 107938 94dae0 107946 94dd60 107938->107946 107955 96a66e 107941->107955 107945 9506df 107945->107938 107947 925530 115 API calls 107946->107947 107948 94dd95 107947->107948 107982 946aa0 107948->107982 107950 94dda4 107987 950720 107950->107987 107952 94ddb5 107992 9328a0 107952->107992 107957 96a676 107955->107957 107958 9506c6 107957->107958 107960 96a692 std::exception::exception 107957->107960 107964 96f861 107957->107964 107981 974165 DecodePointer 107957->107981 107958->107945 107963 950a10 116 API calls 107958->107963 107961 96da4b __CxxThrowException@8 RaiseException 107960->107961 107962 96a6bc 107961->107962 107963->107945 107965 96f8dc 107964->107965 107973 96f86d 107964->107973 107966 974165 _malloc DecodePointer 107965->107966 107967 96f8e2 107966->107967 107969 96c883 __wcstombs_s_l 67 API calls 107967->107969 107968 96f878 107970 97465e __FF_MSGBANNER 67 API calls 107968->107970 107968->107973 107974 9746bb __NMSG_WRITE 67 API calls 107968->107974 107978 96b131 _doexit GetModuleHandleExW GetProcAddress ExitProcess 107968->107978 107972 96f8d4 107969->107972 107970->107968 107971 96f8a0 RtlAllocateHeap 107971->107972 107971->107973 107972->107957 107973->107968 107973->107971 107975 96f8c8 107973->107975 107976 974165 _malloc DecodePointer 107973->107976 107979 96f8c6 107973->107979 107974->107968 107977 96c883 __wcstombs_s_l 67 API calls 107975->107977 107976->107973 107977->107979 107978->107968 107980 96c883 __wcstombs_s_l 67 API calls 107979->107980 107980->107972 107981->107957 107983 946acc Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error 107982->107983 107984 946aeb 107983->107984 107985 96da4b __CxxThrowException@8 RaiseException 107983->107985 107984->107950 107986 946b1e 107985->107986 107988 96a66e Concurrency::details::GlobalNode::Initialize 69 API calls 107987->107988 107989 950766 107988->107989 107991 95077f 107989->107991 107999 950aa0 116 API calls 107989->107999 107991->107952 107993 9328b1 107992->107993 107994 9328d0 107992->107994 107993->107994 107995 9328b7 107993->107995 107996 927aec 107994->107996 108001 929650 69 API calls 107994->108001 107995->107996 108000 929650 69 API calls 107995->108000 107996->107868 107996->107872 107999->107991 108000->107996 108001->107996 108003 8f213e 108002->108003 108004 8f2195 108002->108004 108003->108004 108011 8f2164 108003->108011 108005 8f219e 108004->108005 108006 8f221c 108004->108006 108010 8f21b0 _memmove 108005->108010 108065 8f23c0 69 API calls 3 library calls 108005->108065 108066 969369 69 API calls 2 library calls 108006->108066 108008 8f2226 108010->107903 108012 8f217f 108011->108012 108013 8f2169 108011->108013 108014 8f2000 69 API calls 108012->108014 108015 8f2000 69 API calls 108013->108015 108016 8f218f 108014->108016 108017 8f2179 108015->108017 108016->107903 108017->107903 108067 92c7a0 108018->108067 108020 92c59d 108021 92c647 108020->108021 108070 96a708 108020->108070 108021->107905 108025 92c615 108080 934830 108025->108080 108026 92c625 108026->108021 108131 92ba80 69 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 108026->108131 108029->107925 108031 8f2019 108030->108031 108032 8f2102 108030->108032 108034 8f206d 108031->108034 108035 8f2026 108031->108035 108263 969397 69 API calls 2 library calls 108032->108263 108036 8f2116 108034->108036 108037 8f2076 108034->108037 108038 8f210c 108035->108038 108039 8f2032 108035->108039 108265 969369 69 API calls 2 library calls 108036->108265 108051 8f2088 _memmove 108037->108051 108262 8f23c0 69 API calls 3 library calls 108037->108262 108264 969397 69 API calls 2 library calls 108038->108264 108042 8f203b 108039->108042 108043 8f2054 108039->108043 108260 8f2260 69 API calls _memmove 108042->108260 108261 8f2260 69 API calls _memmove 108043->108261 108045 8f2120 108050 8f2195 108045->108050 108057 8f2164 108045->108057 108048 8f204b 108048->107921 108049 8f2064 108049->107921 108052 8f219e 108050->108052 108053 8f221c 108050->108053 108051->107921 108058 8f21b0 _memmove 108052->108058 108266 8f23c0 69 API calls 3 library calls 108052->108266 108267 969369 69 API calls 2 library calls 108053->108267 108055 8f2226 108059 8f217f 108057->108059 108060 8f2169 108057->108060 108058->107921 108061 8f2000 69 API calls 108059->108061 108062 8f2000 69 API calls 108060->108062 108063 8f218f 108061->108063 108064 8f2179 108062->108064 108063->107921 108064->107921 108065->108010 108066->108008 108132 92c710 108067->108132 108069 92c7b7 108069->108020 108136 974198 108070->108136 108072 92c60a 108073 8f1f70 108072->108073 108074 8f1f8f 108073->108074 108075 8f1fa1 108073->108075 108076 8f2130 69 API calls 108074->108076 108078 8f2130 69 API calls 108075->108078 108077 8f1f9a 108076->108077 108077->108025 108079 8f1fba 108078->108079 108079->108025 108081 96963d std::_Pad::_Pad 182 API calls 108080->108081 108082 934873 108081->108082 108088 934880 108082->108088 108210 969687 69 API calls std::_Throw_Cpp_error 108082->108210 108085 8f2000 69 API calls 108100 9348ee 108085->108100 108086 934a5f __Mtx_unlock 108090 934a76 108086->108090 108213 969687 69 API calls std::_Throw_Cpp_error 108086->108213 108088->108088 108088->108100 108211 969317 69 API calls 3 library calls 108088->108211 108089 96a66e Concurrency::details::GlobalNode::Initialize 69 API calls 108089->108100 108091 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 108090->108091 108093 934ac5 108091->108093 108093->108026 108094 934acb 108162 9692e6 108094->108162 108097 934b2a 108099 96963d std::_Pad::_Pad 182 API calls 108097->108099 108098 934bdd 108101 934cad 108098->108101 108103 96963d std::_Pad::_Pad 182 API calls 108098->108103 108102 934b33 108099->108102 108100->108085 108100->108086 108100->108089 108100->108094 108212 8f3000 229 API calls 108100->108212 108105 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 108101->108105 108109 934b40 __Mtx_unlock 108102->108109 108214 969687 69 API calls std::_Throw_Cpp_error 108102->108214 108104 934bef 108103->108104 108110 934bfc __Mtx_unlock 108104->108110 108218 969687 69 API calls std::_Throw_Cpp_error 108104->108218 108107 934cdb 108105->108107 108107->108026 108111 934b7d 108109->108111 108215 969687 69 API calls std::_Throw_Cpp_error 108109->108215 108115 934c39 108110->108115 108219 969687 69 API calls std::_Throw_Cpp_error 108110->108219 108111->108101 108180 947c30 108111->108180 108194 94eac0 108111->108194 108201 945860 108111->108201 108114 934b96 108114->108101 108116 96963d std::_Pad::_Pad 182 API calls 108114->108116 108115->108101 108117 96963d std::_Pad::_Pad 182 API calls 108115->108117 108118 934ba9 108116->108118 108119 934c5d 108117->108119 108120 934bb6 108118->108120 108216 969687 69 API calls std::_Throw_Cpp_error 108118->108216 108121 934c6a 108119->108121 108220 969687 69 API calls std::_Throw_Cpp_error 108119->108220 108217 8f4430 69 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 108120->108217 108221 8f4430 69 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 108121->108221 108126 934bd6 __Mtx_unlock 108126->108101 108222 969687 69 API calls std::_Throw_Cpp_error 108126->108222 108131->108021 108135 99bdbf 69 API calls 8 library calls 108132->108135 108134 92c72f 108134->108069 108135->108134 108137 9741a4 __getstream 108136->108137 108139 974274 __getstream 108137->108139 108156 98af9c 68 API calls 6 library calls 108137->108156 108139->108072 108140 9741cc _strlen 108140->108139 108141 96facb __lock 68 API calls 108140->108141 108142 9741fb 108141->108142 108143 974235 108142->108143 108145 96f861 _malloc 68 API calls 108142->108145 108160 96b5f0 68 API calls 2 library calls 108143->108160 108147 97420d 108145->108147 108146 974267 108161 974280 LeaveCriticalSection _doexit 108146->108161 108147->108143 108149 96f861 _malloc 68 API calls 108147->108149 108150 97421e 108149->108150 108151 974257 108150->108151 108157 96d263 68 API calls __wcstombs_s_l 108150->108157 108159 96b5f0 68 API calls 2 library calls 108151->108159 108154 97422e 108154->108143 108158 973df5 8 API calls 2 library calls 108154->108158 108156->108140 108157->108154 108158->108151 108159->108143 108160->108146 108161->108139 108163 969301 std::exception::exception 108162->108163 108164 96da4b __CxxThrowException@8 RaiseException 108163->108164 108165 969316 Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error 108164->108165 108166 96da4b __CxxThrowException@8 RaiseException 108165->108166 108167 96933a 108166->108167 108223 96b495 108167->108223 108170 96da4b __CxxThrowException@8 RaiseException 108171 969368 108170->108171 108172 96b495 std::exception::exception 68 API calls 108171->108172 108173 969381 108172->108173 108174 96da4b __CxxThrowException@8 RaiseException 108173->108174 108175 969396 108174->108175 108176 96b495 std::exception::exception 68 API calls 108175->108176 108177 9693af 108176->108177 108178 96da4b __CxxThrowException@8 RaiseException 108177->108178 108179 934ad0 108178->108179 108179->108097 108179->108098 108181 925530 115 API calls 108180->108181 108182 947c75 108181->108182 108183 8f2130 69 API calls 108182->108183 108184 947c97 108183->108184 108185 92c550 266 API calls 108184->108185 108192 947cbc 108185->108192 108186 925530 115 API calls 108187 947e8d 108186->108187 108188 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 108187->108188 108189 947eae 108188->108189 108189->108114 108190 8f2130 69 API calls 108190->108192 108192->108190 108193 947e05 108192->108193 108226 94bab0 69 API calls 108192->108226 108193->108186 108195 925530 115 API calls 108194->108195 108196 94eaf9 108195->108196 108227 94de80 108196->108227 108199 925530 115 API calls 108200 94eb22 108199->108200 108200->108114 108202 925530 115 API calls 108201->108202 108203 945874 108202->108203 108204 8f2130 69 API calls 108203->108204 108205 945896 108204->108205 108209 92c550 266 API calls 108205->108209 108206 9458be 108207 925530 115 API calls 108206->108207 108208 9458d0 108207->108208 108208->108114 108209->108206 108210->108088 108211->108100 108212->108100 108213->108090 108214->108109 108215->108111 108216->108120 108217->108126 108218->108110 108219->108115 108220->108121 108221->108126 108222->108101 108224 96b56c std::exception::_Copy_str 68 API calls 108223->108224 108225 969353 108224->108225 108225->108170 108226->108192 108228 925530 115 API calls 108227->108228 108229 94dec8 108228->108229 108230 96963d std::_Pad::_Pad 182 API calls 108229->108230 108231 94ded5 108230->108231 108232 94dee2 108231->108232 108233 969687 std::_Thrd_startX 69 API calls 108231->108233 108234 94df07 108232->108234 108235 94def3 108232->108235 108233->108232 108237 925530 115 API calls 108234->108237 108236 925530 115 API calls 108235->108236 108238 94deff 108236->108238 108243 94df13 108237->108243 108239 925530 115 API calls 108238->108239 108241 94e09b __Mtx_unlock 108239->108241 108240 94dfa9 108242 96a66e Concurrency::details::GlobalNode::Initialize 69 API calls 108240->108242 108244 94e0b6 108241->108244 108245 969687 std::_Thrd_startX 69 API calls 108241->108245 108246 94dfb4 108242->108246 108259 95e720 89 API calls 108243->108259 108244->108199 108245->108244 108247 94dfd5 108246->108247 108248 9507c0 207 API calls 108246->108248 108249 925530 115 API calls 108247->108249 108248->108247 108250 94dfed 108249->108250 108251 96963d std::_Pad::_Pad 182 API calls 108250->108251 108252 94dffa 108251->108252 108253 969687 std::_Thrd_startX 69 API calls 108252->108253 108256 94e007 108252->108256 108253->108256 108254 96a087 std::_Pad::_Launch 178 API calls 108254->108256 108255 94e03e __Mtx_unlock 108255->108238 108257 969687 std::_Thrd_startX 69 API calls 108255->108257 108256->108254 108256->108255 108258 969687 std::_Thrd_startX 69 API calls 108256->108258 108257->108238 108258->108256 108259->108240 108260->108048 108261->108049 108262->108051 108263->108038 108264->108036 108265->108045 108266->108058 108267->108055 108268 10012799 108269 100127bc CreateThread 108268->108269 108270 100127b7 108268->108270 108269->108270 108271 1001239f 108269->108271 108313 10010da4 108271->108313 108277 10012421 108280 1001244b 108277->108280 108460 10009505 27 API calls 108277->108460 108279 1001246c Sleep 108279->108280 108280->108279 108281 10012467 108280->108281 108461 10009505 27 API calls 108280->108461 108408 1000eb3a 108281->108408 108284 100124c6 GetFileAttributesW 108285 100124f4 108284->108285 108286 100124ef exit 108284->108286 108287 10013be2 memset 108285->108287 108290 10012769 108286->108290 108289 10012515 memmove memmove 108287->108289 108291 100106c6 28 API calls 108289->108291 108292 1001255c 108291->108292 108295 10012586 108292->108295 108462 10009505 27 API calls 108292->108462 108294 100125a7 Sleep 108294->108295 108295->108294 108296 100125a2 108295->108296 108463 10009505 27 API calls 108295->108463 108297 1000eb3a 29 API calls 108296->108297 108299 10012601 CreateFileW 108297->108299 108300 10013be2 memset 108299->108300 108301 1001265b memmove memmove 108300->108301 108302 100106c6 28 API calls 108301->108302 108303 100126ab 108302->108303 108307 100126d5 108303->108307 108464 10009505 27 API calls 108303->108464 108305 100126f7 108308 10012757 exit 108305->108308 108309 1001275c 108305->108309 108306 100126fc Sleep 108306->108307 108307->108305 108307->108306 108465 10009505 27 API calls 108307->108465 108308->108290 108411 10011d5c 108309->108411 108314 10010dcd 108313->108314 108466 10007d73 108314->108466 108319 100137df memcpy 108320 10010ea5 108319->108320 108321 100137df memcpy 108320->108321 108322 10010eb8 108321->108322 108323 100137df memcpy 108322->108323 108324 10010ecb 108323->108324 108474 1000d960 108324->108474 108327 10007d73 27 API calls 108328 1001105c 108327->108328 108329 100137df memcpy 108328->108329 108330 10011072 108329->108330 108331 100137df memcpy 108330->108331 108332 10011085 108331->108332 108333 100137df memcpy 108332->108333 108334 10011098 108333->108334 108335 100137df memcpy 108334->108335 108336 100110ab 108335->108336 108337 100137df memcpy 108336->108337 108338 100110be 108337->108338 108339 100137df memcpy 108338->108339 108340 100110d1 108339->108340 108341 100137df memcpy 108340->108341 108342 100110e4 108341->108342 108343 100137df memcpy 108342->108343 108344 100110f4 108343->108344 108345 10007d73 27 API calls 108344->108345 108346 1001115d 108345->108346 108347 100137df memcpy 108346->108347 108348 10011173 108347->108348 108349 100137df memcpy 108348->108349 108350 10011183 108349->108350 108483 1000c510 108350->108483 108352 100111a7 108353 100111d9 108352->108353 108507 10009505 27 API calls 108352->108507 108355 10013be2 memset 108353->108355 108356 100111e8 memmove memmove 108355->108356 108494 100139a3 108356->108494 108359 10007d73 27 API calls 108360 100114d7 108359->108360 108361 100137df memcpy 108360->108361 108362 100114ea 108361->108362 108363 100137df memcpy 108362->108363 108364 100114fd 108363->108364 108365 100137df memcpy 108364->108365 108366 10011510 108365->108366 108367 100137df memcpy 108366->108367 108368 10011523 108367->108368 108369 100137df memcpy 108368->108369 108370 10011536 108369->108370 108371 100137df memcpy 108370->108371 108372 10011549 108371->108372 108373 100137df memcpy 108372->108373 108374 1001155c 108373->108374 108375 100137df memcpy 108374->108375 108376 1001156f 108375->108376 108377 100137df memcpy 108376->108377 108378 10011582 108377->108378 108379 100137df memcpy 108378->108379 108380 10011595 108379->108380 108381 100137df memcpy 108380->108381 108382 100115a8 108381->108382 108383 100137df memcpy 108382->108383 108384 100115bb 108383->108384 108385 100137df memcpy 108384->108385 108386 100115cb 108385->108386 108387 10007d73 27 API calls 108386->108387 108388 10011634 108387->108388 108389 100137df memcpy 108388->108389 108390 10011647 108389->108390 108391 100137df memcpy 108390->108391 108392 10011657 108391->108392 108393 1000eb3a 29 API calls 108392->108393 108394 1001167d GetFileAttributesW 108393->108394 108395 100116b5 108394->108395 108396 100116ba 108394->108396 108398 1000865a 27 API calls 108395->108398 108399 100116dc 108395->108399 108508 1000865a 108396->108508 108398->108399 108400 10013be2 108399->108400 108635 10013792 108400->108635 108403 10013792 memset 108404 100123da memmove memmove 108403->108404 108405 100106c6 memmove 108404->108405 108639 10010635 108405->108639 108407 100106fe 108407->108277 108644 1000efd4 108408->108644 108410 1000eb5d 108410->108284 108412 10013be2 memset 108411->108412 108413 10011d87 memmove memmove 108412->108413 108414 100106c6 28 API calls 108413->108414 108415 10011dce 108414->108415 108419 10011df8 108415->108419 108684 10009505 27 API calls 108415->108684 108417 10011e14 108418 10013792 memset 108417->108418 108420 10011e8b 108418->108420 108419->108417 108685 10009505 27 API calls 108419->108685 108671 100137b4 memcpy 108420->108671 108423 10011ea3 108425 10011ec1 108423->108425 108686 10008303 27 API calls 108423->108686 108672 1000a082 108425->108672 108427 10011f42 ReadFile 108430 10011fb3 Sleep 108427->108430 108431 10011fb8 108427->108431 108434 10011fd7 108430->108434 108431->108290 108675 1001197f 108434->108675 108437 10013be2 memset 108438 10012050 memmove memmove 108437->108438 108439 100106c6 28 API calls 108438->108439 108440 100120a9 108439->108440 108441 100120dc 108440->108441 108688 10009505 27 API calls 108440->108688 108443 10012101 NtAllocateVirtualMemory 108441->108443 108444 10012106 Sleep 108441->108444 108689 10009505 27 API calls 108441->108689 108449 1001219c 108443->108449 108444->108441 108446 100121bf NtWriteVirtualMemory NtProtectVirtualMemory 108450 10013be2 memset 108446->108450 108449->108446 108690 100086e7 27 API calls 108449->108690 108452 1001226c memmove memmove 108450->108452 108453 100106c6 28 API calls 108452->108453 108454 100122c5 108453->108454 108458 100122f8 108454->108458 108691 10009505 27 API calls 108454->108691 108456 10012323 EnumSystemGeoID 108456->108431 108458->108456 108692 10009505 27 API calls 108458->108692 108460->108280 108461->108280 108462->108295 108463->108295 108464->108307 108465->108307 108467 10007d97 108466->108467 108514 1000797c 108467->108514 108470 100137df 108471 10010e92 108470->108471 108472 100137fa 108470->108472 108471->108319 108536 10013cff memcpy 108472->108536 108537 1000d89a 108474->108537 108481 1000865a 27 API calls 108482 1000d9ad 108481->108482 108482->108327 108485 1000c52e 108483->108485 108484 1000c6c6 108484->108352 108485->108484 108487 1000c5a0 108485->108487 108624 10009505 27 API calls 108485->108624 108487->108484 108489 1000c682 108487->108489 108625 10009505 27 API calls 108487->108625 108491 1000c6a6 108489->108491 108626 10009505 27 API calls 108489->108626 108491->108484 108492 10009505 27 API calls 108491->108492 108493 100086e7 27 API calls 108491->108493 108492->108491 108493->108491 108495 100139cc 108494->108495 108498 100139dd 108495->108498 108630 10009505 27 API calls 108495->108630 108497 10013a01 108500 10013a22 108497->108500 108632 10008303 27 API calls 108497->108632 108498->108497 108631 10009505 27 API calls 108498->108631 108627 1000845f 108500->108627 108503 10011233 108503->108359 108504 100086e7 27 API calls 108506 10013a66 108504->108506 108505 10009505 27 API calls 108505->108506 108506->108503 108506->108504 108506->108505 108507->108353 108509 10008678 108508->108509 108510 1000867d 108508->108510 108509->108395 108510->108509 108633 10007e15 27 API calls 108510->108633 108512 100086af 108634 1000b1ab memcpy 108512->108634 108519 100078fe 108514->108519 108516 100079a1 108517 1000ad9c memset 108516->108517 108518 100079b4 108517->108518 108518->108470 108526 10007765 108519->108526 108522 100043e8 8 API calls 108523 10007937 108522->108523 108530 1000b7a3 108523->108530 108525 10007965 108525->108516 108527 100077bc 108526->108527 108529 1000789e 108527->108529 108534 100074f3 27 API calls 108527->108534 108529->108522 108531 1000b7d6 108530->108531 108532 1000b7db 108530->108532 108531->108525 108532->108531 108535 1000b369 13 API calls 108532->108535 108534->108529 108535->108531 108536->108471 108584 10001c56 108537->108584 108539 1000d8f3 108544 1000db87 108539->108544 108540 1000d8c3 108540->108539 108541 1000d913 108540->108541 108542 10001c56 28 API calls 108540->108542 108597 10002418 27 API calls 108541->108597 108542->108540 108609 1000dba9 memset 108544->108609 108546 1000d991 108547 1000d08b 108546->108547 108610 10008148 108547->108610 108550 10008148 13 API calls 108551 1000d0b9 108550->108551 108552 10008148 13 API calls 108551->108552 108553 1000d0ce 108552->108553 108578 1000d134 108553->108578 108614 10009505 27 API calls 108553->108614 108555 1000d150 108555->108481 108556 1000d260 108558 1000d2a3 108556->108558 108615 100086e7 27 API calls 108556->108615 108561 1000d363 108558->108561 108577 1000d312 108558->108577 108616 10009505 27 API calls 108558->108616 108559 1000d400 108622 10009c14 27 API calls 108559->108622 108617 100098f1 27 API calls 108561->108617 108562 1000d3b8 108568 10008148 13 API calls 108562->108568 108564 1000d494 108569 10008148 13 API calls 108564->108569 108566 1000d405 108567 1000d429 108566->108567 108619 10009505 27 API calls 108566->108619 108620 100098f1 27 API calls 108567->108620 108576 1000d3c5 108568->108576 108569->108555 108572 1000d443 108573 10008148 13 API calls 108572->108573 108575 1000d450 108573->108575 108574 10009505 27 API calls 108574->108578 108621 10009c14 27 API calls 108575->108621 108576->108577 108618 10009505 27 API calls 108576->108618 108577->108559 108577->108566 108578->108555 108578->108556 108578->108574 108579 100086e7 27 API calls 108578->108579 108579->108578 108582 1000d469 108583 10008148 13 API calls 108582->108583 108583->108555 108598 10002e32 108584->108598 108588 10001cb0 108592 10001ccb 108588->108592 108606 10008303 27 API calls 108588->108606 108589 10001c8c 108589->108588 108605 10009505 27 API calls 108589->108605 108593 1000797c 27 API calls 108592->108593 108595 10001d15 108593->108595 108594 10001d49 108594->108540 108595->108594 108596 10009505 27 API calls 108595->108596 108596->108595 108597->108539 108599 10002e64 108598->108599 108603 10001c7b 108599->108603 108607 100030e4 fabs 108599->108607 108601 10002eec 108608 100030e4 fabs 108601->108608 108603->108589 108604 10009505 27 API calls 108603->108604 108604->108589 108605->108588 108606->108592 108607->108601 108608->108603 108609->108546 108612 10008163 108610->108612 108611 10008176 108611->108550 108612->108611 108623 1000b435 13 API calls 108612->108623 108614->108578 108615->108558 108616->108561 108617->108562 108618->108577 108619->108567 108620->108572 108621->108582 108622->108564 108623->108611 108624->108487 108625->108489 108626->108491 108628 10007d73 27 API calls 108627->108628 108629 1000847a 108628->108629 108629->108506 108630->108498 108631->108497 108632->108500 108633->108512 108634->108509 108638 10013cd4 memset 108635->108638 108637 100137af 108637->108403 108638->108637 108640 1001065a 108639->108640 108641 10010655 108639->108641 108643 100019c0 27 API calls 108640->108643 108641->108407 108643->108641 108645 1000eff2 108644->108645 108648 1000effb 108644->108648 108664 1000f2ec strlen 108645->108664 108647 1000f02b 108649 1000f063 108647->108649 108653 1000f049 108647->108653 108666 1000f2ec strlen 108647->108666 108648->108647 108665 1000f2ec strlen 108648->108665 108667 10008303 27 API calls 108649->108667 108654 1000f0bd 108653->108654 108668 1000f2ec strlen 108653->108668 108658 1000ea3c 108654->108658 108657 1000f0d9 108657->108410 108659 1000ea5a 108658->108659 108660 1000ea5f 108658->108660 108659->108657 108662 1000eaa5 108660->108662 108669 10008303 27 API calls 108660->108669 108670 1000e978 28 API calls 108662->108670 108664->108648 108665->108647 108666->108649 108667->108653 108668->108654 108669->108662 108670->108659 108671->108423 108693 10007b2d 108672->108693 108676 10013792 memset 108675->108676 108677 100119a3 108676->108677 108725 100116ec 108677->108725 108679 10011a10 108679->108437 108680 100119ba 108680->108679 108681 100086e7 27 API calls 108680->108681 108683 10009505 27 API calls 108680->108683 108735 10007c37 108680->108735 108681->108680 108683->108680 108684->108419 108685->108419 108686->108425 108687 100086e7 27 API calls 108687->108427 108688->108441 108689->108441 108690->108446 108691->108458 108692->108458 108704 10005d64 108693->108704 108699 10007bb1 108702 1000797c 27 API calls 108699->108702 108700 10007b8f 108700->108699 108719 10009505 27 API calls 108700->108719 108703 10007bc4 108702->108703 108703->108427 108703->108687 108705 10005d87 108704->108705 108706 10005d82 108704->108706 108712 1000bb84 108705->108712 108708 10005db6 108706->108708 108720 10009505 27 API calls 108706->108720 108710 10005dd8 108708->108710 108721 10009505 27 API calls 108708->108721 108710->108705 108722 10009505 27 API calls 108710->108722 108713 1000bbb6 108712->108713 108717 10007b7e 108713->108717 108723 1000c4db fabs 108713->108723 108715 1000bc3e 108724 1000c4db fabs 108715->108724 108717->108700 108718 10009505 27 API calls 108717->108718 108718->108700 108719->108699 108720->108708 108721->108710 108722->108705 108723->108715 108724->108717 108726 10013792 memset 108725->108726 108727 10011705 108726->108727 108733 10011727 108727->108733 108747 100086e7 27 API calls 108727->108747 108748 10009505 27 API calls 108727->108748 108729 100117be 108729->108680 108731 10009505 27 API calls 108731->108733 108732 100086e7 27 API calls 108732->108733 108733->108729 108733->108731 108733->108732 108749 1000a114 27 API calls 108733->108749 108736 10007c5a 108735->108736 108738 10007c55 108735->108738 108737 10007b2d 27 API calls 108736->108737 108746 10007c71 108737->108746 108739 10007b2d 27 API calls 108738->108739 108738->108746 108740 10007ce1 108739->108740 108750 10007be2 27 API calls 108740->108750 108742 10007d16 108751 10007be2 27 API calls 108742->108751 108744 10007d3b 108752 1000b1ab memcpy 108744->108752 108746->108680 108747->108727 108748->108727 108749->108733 108750->108742 108751->108744 108752->108746 108753 4dd45a6 108754 4dd45e4 108753->108754 108759 4dd113e 108754->108759 108756 4dd4686 108757 4dd474b CreateThread 108756->108757 108758 4dd4784 108757->108758 108767 4dd1400 108757->108767 108760 4dd1169 108759->108760 108760->108760 108761 4dd117c LoadLibraryA 108760->108761 108762 4dd1278 108761->108762 108763 4dd1195 GetProcAddress 108761->108763 108762->108756 108763->108762 108765 4dd11eb 108763->108765 108766 4dd126a WriteProcessMemory 108765->108766 108766->108762 108768 4dd1433 LoadLibraryA 108767->108768 108770 4dd1504 LoadLibraryA 108768->108770 108772 4dd15c7 LoadLibraryA 108770->108772 108774 4dd167b LoadLibraryA 108772->108774 108776 4dd173e LoadLibraryA 108774->108776 108778 4dd17fb LoadLibraryA 108776->108778 108780 4dd18c8 LoadLibraryA 108778->108780 108782 4dd1982 LoadLibraryA 108780->108782 108784 4dd1a4a LoadLibraryA 108782->108784 108786 4dd1b15 LoadLibraryA 108784->108786 108799 4dd6bf1 108786->108799 108789 4dd2341 108790 4dd1c5b ExitProcess 108794 4dd1c88 108790->108794 108792 4dd22e5 108806 4e04d90 GetProcAddress 108792->108806 108798 4dd1bb0 108794->108798 108795 4dd261f ExitProcess 108796 4dd21cf GetLastError 108796->108798 108797 4dd22bf 108797->108795 108798->108789 108798->108790 108798->108792 108798->108796 108798->108797 108802 4e2e29a 108798->108802 108800 4dd6c23 108799->108800 108801 4dd6d93 CheckRemoteDebuggerPresent 108800->108801 108801->108798 108803 4e2e2d5 108802->108803 108807 4e215c8 108803->108807 108806->108797 108808 4e215e4 108807->108808 108809 4e21758 GetProcAddress 108808->108809 108810 4e21672 GetDriveTypeW 108808->108810 108809->108808 108810->108798 108811 1001338a 108812 10013792 memset 108811->108812 108813 100133ab 108812->108813 108814 10013792 memset 108813->108814 108815 100133bd 108814->108815 108816 10007d73 27 API calls 108815->108816 108817 10013486 108816->108817 108818 100137df memcpy 108817->108818 108819 1001349c 108818->108819 108820 100137df memcpy 108819->108820 108821 100134af 108820->108821 108822 100137df memcpy 108821->108822 108823 100134c2 108822->108823 108824 100137df memcpy 108823->108824 108825 100134d5 108824->108825 108837 10010b3e 108825->108837 108827 100134eb 108840 1000eb85 108827->108840 108829 100134f4 108843 10012818 108829->108843 108831 100134ff 108832 1001353c CreateWindowExW 108831->108832 108835 100135ac 108832->108835 108833 100135d7 KiUserCallbackDispatcher 108834 10013618 108833->108834 108833->108835 108835->108833 108836 1001365f DispatchMessageW 108835->108836 108836->108835 108951 10010a74 108837->108951 108839 10010b51 memmove 108839->108827 109000 1000f0e4 108840->109000 108842 1000eba8 108842->108829 108844 10012839 108843->108844 108845 10007d73 27 API calls 108844->108845 108846 100128fa 108845->108846 108847 100137df memcpy 108846->108847 108848 10012910 108847->108848 108849 100137df memcpy 108848->108849 108850 10012923 108849->108850 108851 100137df memcpy 108850->108851 108852 10012936 108851->108852 108853 100137df memcpy 108852->108853 108854 10012949 108853->108854 108855 10007d73 27 API calls 108854->108855 108856 10012a90 108855->108856 108857 100137df memcpy 108856->108857 108858 10012aa6 108857->108858 108859 100137df memcpy 108858->108859 108860 10012ab9 108859->108860 108861 100137df memcpy 108860->108861 108862 10012acc 108861->108862 108863 100137df memcpy 108862->108863 108864 10012adf 108863->108864 108865 100137df memcpy 108864->108865 108866 10012af2 108865->108866 108867 100137df memcpy 108866->108867 108868 10012b02 108867->108868 108869 1000eb85 28 API calls 108868->108869 108870 10012b1c 108869->108870 109007 1000fab0 108870->109007 108875 1000f59d 30 API calls 108876 10012b9a 108875->108876 108877 1000f59d 30 API calls 108876->108877 108878 10012bcc 108877->108878 108879 10007d73 27 API calls 108878->108879 108880 10012d52 108879->108880 108881 100137df memcpy 108880->108881 108882 10012d68 108881->108882 108883 100137df memcpy 108882->108883 108884 10012d7b 108883->108884 108885 100137df memcpy 108884->108885 108886 10012d8e 108885->108886 108887 100137df memcpy 108886->108887 108888 10012da1 108887->108888 108889 100137df memcpy 108888->108889 108890 10012db4 108889->108890 108891 100137df memcpy 108890->108891 108892 10012dc7 108891->108892 108893 100137df memcpy 108892->108893 108894 10012dd9 108893->108894 108895 100137df memcpy 108894->108895 108896 10012de9 108895->108896 108897 1000eb85 28 API calls 108896->108897 108898 10012e03 108897->108898 108899 1000fab0 32 API calls 108898->108899 108900 10012e20 108899->108900 108901 1000f59d 30 API calls 108900->108901 108902 10012e4f 108901->108902 108903 1000f59d 30 API calls 108902->108903 108904 10012e81 108903->108904 108905 1000f59d 30 API calls 108904->108905 108906 10012eb3 108905->108906 108907 1000f59d 30 API calls 108906->108907 108908 10012ee5 108907->108908 108909 1000f59d 30 API calls 108908->108909 108910 10012f17 108909->108910 108911 1000f59d 30 API calls 108910->108911 108912 10012f49 108911->108912 108913 1000f59d 30 API calls 108912->108913 108914 10012f7b 108913->108914 108915 1000f59d 30 API calls 108914->108915 108916 10012fad 108915->108916 108917 1000f59d 30 API calls 108916->108917 108918 10012fdf 108917->108918 108919 10007d73 27 API calls 108918->108919 108920 100130f9 108919->108920 108921 100137df memcpy 108920->108921 108922 1001310f 108921->108922 108923 100137df memcpy 108922->108923 108924 10013122 108923->108924 108925 100137df memcpy 108924->108925 108926 10013135 108925->108926 108927 100137df memcpy 108926->108927 108928 10013148 108927->108928 108929 100137df memcpy 108928->108929 108930 1001315a 108929->108930 108931 100137df memcpy 108930->108931 108932 1001316a 108931->108932 108933 1000f59d 30 API calls 108932->108933 108934 100131bc 108933->108934 108935 1000f59d 30 API calls 108934->108935 108936 100131ee 108935->108936 108937 1000f59d 30 API calls 108936->108937 108938 10013220 108937->108938 108939 1000f59d 30 API calls 108938->108939 108940 10013252 108939->108940 108941 1000f59d 30 API calls 108940->108941 108942 10013287 108941->108942 108943 1000f59d 30 API calls 108942->108943 108944 100132c2 108943->108944 108945 1000f59d 30 API calls 108944->108945 108946 100132fd 108945->108946 108947 1000f59d 30 API calls 108946->108947 108948 10013338 108947->108948 108949 1000f59d 30 API calls 108948->108949 108950 10013373 108949->108950 108950->108831 108961 10010b94 108951->108961 108954 10010acd 108956 10010b00 memmove 108954->108956 108955 10010aba 108955->108954 108964 10010709 108955->108964 108979 10010897 108956->108979 108958 10010ae5 memmove 108958->108956 108984 10010d4b memset 108961->108984 108963 10010a8d memmove 108963->108955 108965 10010b94 memset 108964->108965 108966 10010722 108965->108966 108967 10010b94 memset 108966->108967 108975 10010734 108967->108975 108971 10010849 108976 1001085c memmove 108971->108976 108990 1000a12e exit strlen fwrite fflush 108971->108990 108972 100107a5 memmove 108972->108975 108978 10010753 memmove 108975->108978 108985 100101aa 108975->108985 108988 10010c78 memcpy 108975->108988 108989 10009505 27 API calls 108975->108989 108976->108958 108978->108971 108981 100108d1 108979->108981 108980 100108dd memmove 108980->108839 108981->108980 108983 10009505 27 API calls 108981->108983 108999 100086e7 27 API calls 108981->108999 108983->108981 108984->108963 108991 10010284 108985->108991 108987 100101d1 108987->108975 108988->108972 108989->108975 108990->108976 108992 100102a8 108991->108992 108996 100102ad 108991->108996 108994 100102c2 108992->108994 108997 100086e7 27 API calls 108992->108997 108994->108996 108998 10008303 27 API calls 108994->108998 108996->108987 108997->108994 108998->108996 108999->108981 109001 1000f107 109000->109001 109003 1000f166 109001->109003 109006 10008303 27 API calls 109001->109006 109004 1000ea3c 28 API calls 109003->109004 109005 1000f1ec 109004->109005 109005->108842 109006->109003 109009 1000facd 109007->109009 109008 1000faf2 lstrcmpiW 109008->109009 109011 1000fb2c 109008->109011 109009->109008 109010 1000fb57 109009->109010 109010->109011 109012 1000eb85 28 API calls 109010->109012 109021 1000f59d 109011->109021 109013 1000fbaf 109012->109013 109014 1000fab0 31 API calls 109013->109014 109015 1000fbcc 109014->109015 109016 1000f59d 30 API calls 109015->109016 109017 1000fbed 109016->109017 109017->109011 109050 1000fd41 109017->109050 109022 1000fd41 memset 109021->109022 109023 1000f5d1 109022->109023 109055 1000f355 109023->109055 109025 1000f615 109026 1000f66f 109025->109026 109029 1000f632 109025->109029 109059 10009505 27 API calls 109025->109059 109060 1000fe16 memcpy 109026->109060 109029->108875 109030 1000f694 109030->109029 109035 1000f74a 109030->109035 109061 10009505 27 API calls 109030->109061 109033 10009505 27 API calls 109033->109035 109035->109029 109035->109033 109036 1000f8f7 109035->109036 109062 1000fe41 fabs 109035->109062 109063 1000f45f 27 API calls 109035->109063 109064 1000fe41 fabs 109036->109064 109038 1000f91a 109039 1000f92b 109038->109039 109065 10009505 27 API calls 109038->109065 109042 1000f95b 109039->109042 109066 10009505 27 API calls 109039->109066 109044 1000f983 109042->109044 109067 10009505 27 API calls 109042->109067 109046 1000f9cd 109044->109046 109068 10009505 27 API calls 109044->109068 109048 1000f9f5 109046->109048 109069 10009505 27 API calls 109046->109069 109048->109029 109070 10009505 27 API calls 109048->109070 109054 10010108 memset 109050->109054 109052 1000fc26 109053 10010071 27 API calls 109052->109053 109053->109011 109054->109052 109056 1000f383 109055->109056 109058 1000f388 109055->109058 109056->109058 109071 10009505 27 API calls 109056->109071 109058->109025 109059->109026 109060->109030 109061->109035 109062->109035 109063->109035 109064->109038 109065->109039 109066->109042 109067->109044 109068->109046 109069->109048 109070->109029 109071->109058 109072 4e57a9b 109073 4e57aa6 109072->109073 109074 4e57aab 109072->109074 109073->109074 109076 4e57aee 109073->109076 109077 4e57afa __DllMainCRTStartup@12 109076->109077 109078 4e57baf 109077->109078 109079 4e57b3b __RTC_Initialize 109077->109079 109080 4e57b45 109077->109080 109078->109074 109079->109080 109080->109078 109081 4e57ba4 ___scrt_is_nonwritable_in_current_image 109080->109081 109081->109078 109082 4dd2623 109083 4dd262f 109082->109083 109086 4dd6da4 wsprintfW 109083->109086 109085 4dd2642 109086->109085 109087 4e57ddb 109088 4e57de4 ___security_init_cookie 109087->109088 109089 4e57de9 109087->109089 109088->109089 109092 4e57ca5 109089->109092 109093 4e57cb1 __DllMainCRTStartup@12 109092->109093 109094 4e57cda dllmain_raw 109093->109094 109098 4e57cd5 109093->109098 109100 4e57cc0 109093->109100 109095 4e57cf4 dllmain_crt_dispatch 109094->109095 109094->109100 109095->109098 109095->109100 109096 4e57d46 109097 4e57d4f dllmain_crt_dispatch 109096->109097 109096->109100 109099 4e57d62 dllmain_raw 109097->109099 109097->109100 109098->109096 109101 4e57d3b dllmain_raw 109098->109101 109099->109100 109101->109096 109102 8f1bc0 109103 8f1cb7 PostQuitMessage 109102->109103 109104 8f1be6 109102->109104 109107 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 109103->109107 109105 8f1bef 109104->109105 109106 8f1c8b BeginPaint EndPaint 109104->109106 109109 8f1c16 109105->109109 109110 8f1bf6 DefWindowProcW 109105->109110 109111 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 109106->109111 109108 8f1ccd 109107->109108 109112 8f1c61 DialogBoxParamW 109109->109112 109113 8f1c21 109109->109113 109115 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 109110->109115 109114 8f1cb1 109111->109114 109118 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 109112->109118 109116 8f1c46 DestroyWindow 109113->109116 109117 8f1c24 DefWindowProcW 109113->109117 109119 8f1c10 109115->109119 109121 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 109116->109121 109120 96a63b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 6 API calls 109117->109120 109122 8f1c85 109118->109122 109123 8f1c40 109120->109123 109124 8f1c5b 109121->109124

                                                            Executed Functions

                                                            Function 0095E720 Relevance: 81.0, APIs: 37, Strings: 9, Instructions: 456libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • LoadLibraryW.KERNELBASE(hid.dll), ref: 0095E73E
                                                            • GetLastError.KERNEL32 ref: 0095E75D
                                                            • std::exception::exception.LIBCMT ref: 0095E773
                                                            • __CxxThrowException@8.LIBCMT ref: 0095E799
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0095E7C7
                                                            • KiUserCallbackDispatcher.NTDLL(?), ref: 0095E7D2
                                                            • GetLastError.KERNEL32 ref: 0095E7E6
                                                            • std::exception::exception.LIBCMT ref: 0095E7FF
                                                              • Part of subcall function 0096B495: std::exception::_Copy_str.LIBCMT ref: 0096B4AE
                                                            • __CxxThrowException@8.LIBCMT ref: 0095E82A
                                                              • Part of subcall function 0096DA4B: RaiseException.KERNEL32(?,?,00000000,009CE810,?,?,?,0096A6BC,00000000,009CE810,00000000,00000001), ref: 0096DA9C
                                                              • Part of subcall function 0095E720: GetProcAddress.KERNEL32(00000000,00000000), ref: 0095E85B
                                                            • GetLastError.KERNEL32 ref: 0095E87C
                                                            • std::exception::exception.LIBCMT ref: 0095E895
                                                            • __CxxThrowException@8.LIBCMT ref: 0095E8C0
                                                              • Part of subcall function 0095E720: GetProcAddress.KERNEL32(00000000,00000000), ref: 0095E8FB
                                                            • GetLastError.KERNEL32 ref: 0095E91F
                                                            • std::exception::exception.LIBCMT ref: 0095E938
                                                            • __CxxThrowException@8.LIBCMT ref: 0095E963
                                                              • Part of subcall function 0095E720: GetProcAddress.KERNEL32(00000000,00000000), ref: 0095E99B
                                                            • GetLastError.KERNEL32 ref: 0095E9BC
                                                            • std::exception::exception.LIBCMT ref: 0095E9D5
                                                            • __CxxThrowException@8.LIBCMT ref: 0095EA00
                                                              • Part of subcall function 0095E720: GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EA37
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0095EA56
                                                            • std::exception::exception.LIBCMT ref: 0095EA6F
                                                            • __CxxThrowException@8.LIBCMT ref: 0095EA9A
                                                              • Part of subcall function 0095E720: GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EACB
                                                            • GetLastError.KERNEL32 ref: 0095EAEC
                                                            • std::exception::exception.LIBCMT ref: 0095EB05
                                                            • __CxxThrowException@8.LIBCMT ref: 0095EB30
                                                              • Part of subcall function 0095E720: GetProcAddress.KERNEL32(00000000), ref: 0095EB6F
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0095EB95
                                                            • std::exception::exception.LIBCMT ref: 0095EBAE
                                                            • __CxxThrowException@8.LIBCMT ref: 0095EBD9
                                                              • Part of subcall function 0095E720: GetProcAddress.KERNEL32(00000000,?), ref: 0095EC0F
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0095EC32
                                                            • std::exception::exception.LIBCMT ref: 0095EC4B
                                                            • __CxxThrowException@8.LIBCMT ref: 0095EC76
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: ErrorException@8LastThrowstd::exception::exception$AddressProc$CallbackCopy_strDispatcherExceptionLibraryLoadRaiseUserstd::exception::_
                                                            • String ID: HidD_FreePreparsedData$HidD_GetAttributes$HidD_GetHidGuid$HidD_GetPreparsedData$HidD_GetProductString$HidP_GetCaps$HidP_GetLinkCollectionNodes$HidP_GetValueCaps$hid.dll
                                                            • API String ID: 2588952195-3165394265
                                                            • Opcode ID: c93db1dce154fa1e737b9e319ec8872719becbfb29c8651c5fedaa99b82070ce
                                                            • Instruction ID: baeae1f9d9c7918e6a93c35306b5bd4ab6ba551faa3991254e39ee07fad97cab
                                                            • Opcode Fuzzy Hash: c93db1dce154fa1e737b9e319ec8872719becbfb29c8651c5fedaa99b82070ce
                                                            • Instruction Fuzzy Hash: E2E15FB1519304AF8314EF669805A9FB7E8BFC8718F00461EF959A7241EB71E604CBE3
                                                            Function 04DD1400 Relevance: 71.3, APIs: 13, Strings: 27, Instructions: 1321libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?), ref: 04DD14D5
                                                            • LoadLibraryA.KERNEL32(?), ref: 04DD15A0
                                                            • LoadLibraryA.KERNEL32(?), ref: 04DD1650
                                                            • LoadLibraryA.KERNELBASE(?), ref: 04DD1713
                                                            • LoadLibraryA.KERNELBASE(?), ref: 04DD17D2
                                                            • LoadLibraryA.KERNELBASE(?), ref: 04DD189D
                                                            • LoadLibraryA.KERNELBASE(?), ref: 04DD195B
                                                            • LoadLibraryA.KERNEL32(?), ref: 04DD1A1B
                                                            • LoadLibraryA.KERNELBASE(?), ref: 04DD1AEC
                                                            • LoadLibraryA.KERNELBASE(?), ref: 04DD1BA5
                                                            • ExitProcess.KERNEL32 ref: 04DD1C5B
                                                              • Part of subcall function 04DD1290: GetProcAddress.KERNEL32(?,?), ref: 04DD1345
                                                            • GetLastError.KERNEL32 ref: 04DD21D3
                                                            • ExitProcess.KERNEL32(00000000), ref: 04DD2621
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ExitProcess$AddressErrorLastProc
                                                            • String ID: %$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$q"]]$r"]]$r"]]$rc7E$rc7E$rc7E$rc7E$wrL
                                                            • API String ID: 3904538810-3344043520
                                                            • Opcode ID: 94725433dae08e89d21f83b98cc23644039857adae37bbfc8d3368b4b7b57673
                                                            • Instruction ID: f117b95056a131854056a0550e2ad196c8ba50502abe784d8202945f981f97bf
                                                            • Opcode Fuzzy Hash: 94725433dae08e89d21f83b98cc23644039857adae37bbfc8d3368b4b7b57673
                                                            • Instruction Fuzzy Hash: 3AA222347083418FDB198E28C0D06AEBBE2EFD6314F644A5DD0D6873A4E735A849CB67
                                                            Function 10011D5C Relevance: 20.0, APIs: 13, Instructions: 457nativesleepfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 434 10011d5c-10011ded call 10013be2 memmove * 2 call 100106c6 call 1001383a 441 10011df3 call 10009505 434->441 442 10011df8-10011e03 434->442 441->442 444 10011e06-10011e0e 442->444 445 10011e14-10011eac call 10013792 call 100137b4 444->445 446 10011e19-10011e46 call 100138f0 444->446 459 10011eb2-10011ebb 445->459 460 10011ec6-10011ef9 call 10008303 445->460 453 10011e51-10011e57 446->453 454 10011e4c call 10009505 446->454 453->444 454->453 459->460 462 10011ec1 459->462 464 10011efc-10011f19 call 1000a082 460->464 462->464 467 10011f27-10011f2c 464->467 468 10011f1f-10011f33 464->468 470 10011f35-10011f3c 467->470 468->470 471 10011f42 470->471 472 10011f47-10011f4d 470->472 473 10011f79-10011fad ReadFile 471->473 474 10011f53-10011f67 472->474 475 10011f5b-10011f60 472->475 476 10011fb3-10011fd1 Sleep 473->476 477 10011fb8 473->477 479 10011f69-10011f76 call 100086e7 474->479 475->479 484 10011fe2-10011fe7 476->484 485 10011fd7-10011fdd 476->485 481 1001239d-1001239e 477->481 479->473 486 10011fec-10011ff5 484->486 485->486 487 10012003-10012008 486->487 488 10011ffb-1001200f 486->488 490 10012011-100120d1 call 1001197f call 10013be2 memmove * 2 call 100106c6 call 1001383a 487->490 488->490 499 100120d7 call 10009505 490->499 500 100120dc-100120ea 490->500 499->500 502 100120f0-100120fb 500->502 503 10012101-10012196 NtAllocateVirtualMemory 502->503 504 10012106-10012131 Sleep call 100138f0 502->504 507 100121a4-100121a9 503->507 508 1001219c-100121b0 503->508 509 10012136-1001213c 504->509 511 100121b2-100121b9 507->511 508->511 512 10012142 call 10009505 509->512 513 10012147-10012153 509->513 514 100121c4-100121ca 511->514 515 100121bf 511->515 512->513 513->502 518 100121d0-100121e4 514->518 519 100121d8-100121dd 514->519 517 100121f6-100122ed NtWriteVirtualMemory NtProtectVirtualMemory call 10013be2 memmove * 2 call 100106c6 call 1001383a 515->517 530 100122f3 call 10009505 517->530 531 100122f8-10012309 517->531 521 100121e6-100121f3 call 100086e7 518->521 519->521 521->517 530->531 533 1001230f-1001231d 531->533 534 10012323-1001239a EnumSystemGeoID 533->534 535 10012328-10012361 call 100138f0 533->535 534->481 540 10012367 call 10009505 535->540 541 1001236c-10012378 535->541 540->541 541->533
                                                            APIs
                                                            • memmove.MSVCRT(?,?,00000008), ref: 10011D9E
                                                            • memmove.MSVCRT(?,?,00000008), ref: 10011DC1
                                                              • Part of subcall function 100106C6: memmove.MSVCRT(?,?,00000008,?,?,10012421), ref: 100106EB
                                                            • ReadFile.KERNELBASE(10012769,?,?,?), ref: 10011FA0
                                                            • Sleep.KERNELBASE(000007D0), ref: 10011FC9
                                                            • memmove.MSVCRT(?,?,00000008), ref: 10012073
                                                            • memmove.MSVCRT(?,?,00000008), ref: 1001209C
                                                            • Sleep.KERNELBASE(00000001), ref: 1001211B
                                                            • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,?,?,?,00001000,00000004), ref: 10012183
                                                            • NtWriteVirtualMemory.NTDLL(FFFFFFFF,?,?,?,?), ref: 10012215
                                                            • NtProtectVirtualMemory.NTDLL(FFFFFFFF,?,?,00000040,?), ref: 10012240
                                                            • memmove.MSVCRT(?,?,00000008), ref: 1001228F
                                                            • memmove.MSVCRT(?,?,00000008), ref: 100122B8
                                                            • EnumSystemGeoID.KERNEL32(00000010,?,?), ref: 10012398
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: memmove$MemoryVirtual$Sleep$AllocateEnumFileProtectReadSystemWrite
                                                            • String ID:
                                                            • API String ID: 3968872177-0
                                                            • Opcode ID: c7e797c76fbc9d6ddd151fa8792f94fef31dfd95afdb8346705b1e513aedc412
                                                            • Instruction ID: 68ac37f32125a0a3a5af9de8c142dd0c3cc6016a4387533566397bd4b211f93e
                                                            • Opcode Fuzzy Hash: c7e797c76fbc9d6ddd151fa8792f94fef31dfd95afdb8346705b1e513aedc412
                                                            • Instruction Fuzzy Hash: 77F1B9B5E101089FDB54DBA8CC81BDEB7F9EB08300F104169F519EB391EA35EE858B61
                                                            Function 04E2E29A Relevance: 1.9, APIs: 1, Instructions: 386COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDriveTypeW.KERNELBASE(?), ref: 04E2E800
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: DriveType
                                                            • String ID:
                                                            • API String ID: 338552980-0
                                                            • Opcode ID: 0f196d573cf1c67957cec637eb0895aedadb0d8e97fddc6470284e2b5b1ab430
                                                            • Instruction ID: d028bd2cd0563fbe0ee748fad62e8c42f4eec7eb3b87fb9c5aede4a6dca000ba
                                                            • Opcode Fuzzy Hash: 0f196d573cf1c67957cec637eb0895aedadb0d8e97fddc6470284e2b5b1ab430
                                                            • Instruction Fuzzy Hash: E7E13B2AA49771CBD7108A1CC1D01DFBBD19B96320F1DAE1DE8DB273A1E234AC45D792
                                                            Function 04DD6BF1 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,00000000), ref: 04DD6D99
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: CheckDebuggerPresentRemote
                                                            • String ID:
                                                            • API String ID: 3662101638-0
                                                            • Opcode ID: 47b55d2ec078b33dd059582411f37311ebe3fd8493ac0f3457230d094bf96eb7
                                                            • Instruction ID: a98ac2436c4d947aba052b8e6f45fec9eac54cdf8c516ecc5296b3122c3076da
                                                            • Opcode Fuzzy Hash: 47b55d2ec078b33dd059582411f37311ebe3fd8493ac0f3457230d094bf96eb7
                                                            • Instruction Fuzzy Hash: 4D4111713082418FE715DE28D5D06AEBBE2EBD9310F289A1DC4C54B399D734E986CB92
                                                            Function 10012799 Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(Function_0001239F,Function_0001239F,Function_0001239F,?,?,?), ref: 100127EC
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: fc6a67561051b8b9c864b57183c405b98bf4ea1f738820076d0afb69cf2749c6
                                                            • Instruction ID: bc072b501ced7131ed72891b18e4d0e2588d9b6c3c8b99bdee5a8a72b179d5d6
                                                            • Opcode Fuzzy Hash: fc6a67561051b8b9c864b57183c405b98bf4ea1f738820076d0afb69cf2749c6
                                                            • Instruction Fuzzy Hash: 590174B1A04149AFDB90CF9CDD80F8E77FCEB08340F208065B918E7290D638EE509B65
                                                            Function 00925200 Relevance: 43.9, APIs: 12, Strings: 13, Instructions: 167registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • OutputDebugStringA.KERNELBASE(xlogInit(), ref: 0092521F
                                                            • OutputDebugStringA.KERNELBASE(devio), ref: 00925226
                                                            • OutputDebugStringA.KERNEL32(009B6730), ref: 0092522D
                                                            • RegOpenKeyExA.KERNELBASE(80000001,SOFTWARE\Logitech\devio,00000000,00020019,?), ref: 00925247
                                                            • OutputDebugStringA.KERNELBASE(?), ref: 00925292
                                                            • RegQueryValueExA.ADVAPI32(?,Logging,00000000,00000000,?,?), ref: 009252DB
                                                            • OutputDebugStringA.KERNEL32(?), ref: 00925332
                                                            • RegQueryValueExA.ADVAPI32(?,LoggingLevel,00000000,00000000,00000000,00000004), ref: 00925351
                                                            • OutputDebugStringA.KERNEL32(?), ref: 009253A8
                                                            • RegQueryValueExA.ADVAPI32(?,TracingOutput,00000000,00000000,00000000,00000004), ref: 009253C7
                                                            • RegCloseKey.ADVAPI32(?), ref: 00925427
                                                              • Part of subcall function 00925570: __vsnprintf_s.LIBCMT ref: 00925586
                                                            • OutputDebugStringA.KERNEL32(?), ref: 0092541F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: DebugOutputString$QueryValue$CloseOpen__vsnprintf_s
                                                            • String ID: %s(%d): ASSERT FAILURE! Expression: %s$..\xlog.cpp$Couldn't read SOFTWARE\Logitech\devio registry key. Error code = %d$Couldn't read SOFTWARE\Logitech\devio\Logging registry value. Error code = %d$Couldn't read SOFTWARE\Logitech\devio\LoggingLevel registry value, using default level. Error code = %d$Couldn't read SOFTWARE\Logitech\devio\TracingOutput registry value, using default level. Error code = %d$Logging$LoggingLevel$SOFTWARE\Logitech\devio$TracingOutput$devio$nBuf >= 0$xlogInit(
                                                            • API String ID: 1884204934-3802629108
                                                            • Opcode ID: c02c16c28aaa657d5e67c11af6e63abe0b685680c78328c3b276e9cbe152fe04
                                                            • Instruction ID: fd31b671c6132c736405145982d978f1ae97450a76f67c1da506b46e419c3b5f
                                                            • Opcode Fuzzy Hash: c02c16c28aaa657d5e67c11af6e63abe0b685680c78328c3b276e9cbe152fe04
                                                            • Instruction Fuzzy Hash: A05187B1E4032CBADB10A750ED86FE977AC9F9475CF110491F648E50D5EAF57A808E50
                                                            Function 1001239F Relevance: 19.8, APIs: 13, Instructions: 301sleepfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • memmove.MSVCRT(?,?,00000008), ref: 100123F1
                                                            • memmove.MSVCRT(?,?,00000008), ref: 10012414
                                                              • Part of subcall function 100106C6: memmove.MSVCRT(?,?,00000008,?,?,10012421), ref: 100106EB
                                                            • Sleep.KERNELBASE(0000000A), ref: 1001247E
                                                            • GetFileAttributesW.KERNELBASE(?), ref: 100124DE
                                                            • memmove.MSVCRT(?,?,00000008), ref: 1001252C
                                                            • memmove.MSVCRT(?,?,00000008), ref: 1001254F
                                                            • Sleep.KERNELBASE(00000001), ref: 100125B9
                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000003,00000003,00000000,00000000), ref: 10012635
                                                            • memmove.MSVCRT(?,?,00000008), ref: 1001267B
                                                            • memmove.MSVCRT(?,?,00000008), ref: 1001269E
                                                            • Sleep.KERNELBASE(00000001), ref: 10012711
                                                            • exit.MSVCRT ref: 10012777
                                                            • exit.MSVCRT ref: 1001278A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: memmove$Sleep$Fileexit$AttributesCreate
                                                            • String ID:
                                                            • API String ID: 3954042083-0
                                                            • Opcode ID: 4e40b66b505e9ec2dd318e4e6b1fadc91a1b7dc90571f444e8b7480341a6030c
                                                            • Instruction ID: e7ff0842556d73a1affecc71c72982e0bf3ddc7c05c7384984269aa2c0105b6a
                                                            • Opcode Fuzzy Hash: 4e40b66b505e9ec2dd318e4e6b1fadc91a1b7dc90571f444e8b7480341a6030c
                                                            • Instruction Fuzzy Hash: 74B19AF5E002089FDB54DBA8DC85B8EB7F8EB18300F104525F519EB391EA39ED948B61
                                                            Function 008F1A70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • LoadStringW.USER32(?,00000067,LDeviceDetectionHelper,00000064), ref: 008F1A85
                                                            • LoadStringW.USER32(?,0000006D,LDEVICEDETECTIONHELPER,00000064), ref: 008F1A95
                                                              • Part of subcall function 008F1B30: LoadIconW.USER32(?,0000006B), ref: 008F1B69
                                                              • Part of subcall function 008F1B30: LoadCursorW.USER32(00000000,00007F00), ref: 008F1B79
                                                              • Part of subcall function 008F1B30: LoadIconW.USER32(?,0000006C), ref: 008F1B9C
                                                              • Part of subcall function 008F1B30: RegisterClassExW.USER32(00000030), ref: 008F1BA9
                                                            • CreateWindowExW.USER32(00000000,LDEVICEDETECTIONHELPER,LDeviceDetectionHelper,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 008F1ACE
                                                            • UpdateWindow.USER32(00000000), ref: 008F1AD9
                                                            • LoadAcceleratorsW.USER32(?,0000006D), ref: 008F1AE2
                                                            • ExitProcess.KERNEL32 ref: 008F1B0E
                                                            • ExitProcess.KERNEL32 ref: 008F1B16
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Load$ExitIconProcessStringWindow$AcceleratorsClassCreateCursorRegisterUpdate
                                                            • String ID: LDEVICEDETECTIONHELPER$LDeviceDetectionHelper
                                                            • API String ID: 271055542-638040668
                                                            • Opcode ID: bf584b72b129da0b1e15bd21d53fb109ba8d53ba1ae3c96c08436c3569acfdb6
                                                            • Instruction ID: f9e3f8c68e3e7245feef84055b93a3f9eb2f90acefd4e48eeb358f263bc3c49e
                                                            • Opcode Fuzzy Hash: bf584b72b129da0b1e15bd21d53fb109ba8d53ba1ae3c96c08436c3569acfdb6
                                                            • Instruction Fuzzy Hash: A4118431398308B7E6205B609C4EFB93769FBD5F15F100105FB11BE1E1DBE16411E695
                                                            Function 04DD113E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89libraryloaderinjectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 629 4dd113e-4dd1164 630 4dd1169-4dd117a 629->630 630->630 631 4dd117c-4dd118f LoadLibraryA 630->631 632 4dd1278-4dd1283 631->632 633 4dd1195-4dd11be 631->633 634 4dd11c3-4dd11d4 633->634 634->634 635 4dd11d6-4dd11e5 GetProcAddress 634->635 635->632 636 4dd11eb-4dd1219 635->636 637 4dd121d-4dd122e 636->637 637->637 638 4dd1230-4dd1276 call 4dd1105 * 2 WriteProcessMemory 637->638 638->632
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kfpk), ref: 04DD1185
                                                            • GetProcAddress.KERNEL32(00000000,kfpk), ref: 04DD11DD
                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,kfpk,00000005,?), ref: 04DD1274
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadMemoryProcProcessWrite
                                                            • String ID: \NX$`g{z$ak5+$bj$kfpk
                                                            • API String ID: 3389589582-654326175
                                                            • Opcode ID: 750d95f99024900821daee192e1f795733b9319f1a7d72ef4d9cb0f131519387
                                                            • Instruction ID: 983ed22fbfe7dc69465a811baa5f63e2347cc3c20af0fddd83d91e1e69064f61
                                                            • Opcode Fuzzy Hash: 750d95f99024900821daee192e1f795733b9319f1a7d72ef4d9cb0f131519387
                                                            • Instruction Fuzzy Hash: 9931061050C3818AD7118F3D984076BBFE4EFAA269F14474CF4E48A2E3E775D64AC796
                                                            Function 0097DFF6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78memorythreadCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0097DFFD
                                                              • Part of subcall function 0096E11F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,009796D8,00000000,00000100,7FFFFFFF,00000000,00000100,00000040,?,00000044,00993D22,?,?,?), ref: 0096E129
                                                            • Concurrency::details::ThreadProxyFactoryManager::ThreadProxyFactoryManager.LIBCMT ref: 0097E04E
                                                              • Part of subcall function 00996C76: __EH_prolog3.LIBCMT ref: 00996C7D
                                                              • Part of subcall function 00996C76: TlsAlloc.KERNEL32(00000014,0097E053,00000014,0097E8D5,00000008,0097B056,00000064,0097AB0C,00000008,0097A468,?,?), ref: 00996C9A
                                                              • Part of subcall function 00996C76: GetLastError.KERNEL32(?,?,?,?,0096E74F,000000FF,009E2698), ref: 00996CA8
                                                              • Part of subcall function 00996C76: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00996CBE
                                                              • Part of subcall function 00996C76: __CxxThrowException@8.LIBCMT ref: 00996CCC
                                                              • Part of subcall function 009803E5: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCMT ref: 00980408
                                                              • Part of subcall function 009803E5: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCMT ref: 00980429
                                                              • Part of subcall function 009803E5: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0098045E
                                                              • Part of subcall function 009803E5: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0098049F
                                                              • Part of subcall function 009803E5: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 009805A0
                                                            • Concurrency::details::ResourceManager::DetermineTopology.LIBCMT ref: 0097E061
                                                              • Part of subcall function 0097E9BE: _memset.LIBCMT ref: 0097EA06
                                                              • Part of subcall function 0097E9BE: _memset.LIBCMT ref: 0097EA4C
                                                              • Part of subcall function 0097E9BE: Concurrency::details::GlobalNode::Initialize.LIBCMT ref: 0097EAC0
                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004,00000014,0097E8D5,00000008,0097B056,00000064,0097AB0C,00000008,0097A468,?,?), ref: 0097E086
                                                            • std::exception::exception.LIBCMT ref: 0097E0A6
                                                            • __CxxThrowException@8.LIBCMT ref: 0097E0BB
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0096E74F,000000FF,009E2698), ref: 0097E0C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$Manager::$Resource$AffinityTopology$AllocApplyException@8FactoryH_prolog3InformationInitializeProxyRestrictionsThreadThrow_memset$CaptureCleanupConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCountCreateCriticalDetermineErrorEventGlobalLastManagerNode::ProcessSectionSpinVirtualstd::exception::exception
                                                            • String ID: bad allocation
                                                            • API String ID: 2430304359-2104205924
                                                            • Opcode ID: 183777c5b7d4139d7a5f3d541e604127c403391df53291f715d3a0e92b24515f
                                                            • Instruction ID: 4ea75cfbc3f06a33ff4ed4cfe95433dc1ea65af48defa22eeaccb807fccbcb8e
                                                            • Opcode Fuzzy Hash: 183777c5b7d4139d7a5f3d541e604127c403391df53291f715d3a0e92b24515f
                                                            • Instruction Fuzzy Hash: B73118B0904B449FD720DF6A8851B9AFBF8BF95704F00890EE196976A0CBB4A140DF61
                                                            Function 00981077 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68synchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • std::exception::exception.LIBCMT ref: 009810AF
                                                            • __CxxThrowException@8.LIBCMT ref: 009810C4
                                                            • __EH_prolog3.LIBCMT ref: 009810D1
                                                            • Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 009810ED
                                                            • SetEvent.KERNEL32(?), ref: 0098113A
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00981145
                                                            • Concurrency::details::ResourceManager::~ResourceManager.LIBCMT ref: 0098114D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_EventException@8H_prolog3Lock::_ManagerManager::~ObjectReentrantSingleThrowWaitstd::exception::exception
                                                            • String ID: version
                                                            • API String ID: 2288242127-3206337475
                                                            • Opcode ID: 55c2d98d8738af39984254709d5a8a0f51688a5397d0e75cf9faf7f45bfb003f
                                                            • Instruction ID: 7cc778a4738e4e79e339a42976846ff80ea1b8abf94efd097127dacb4e76c0ef
                                                            • Opcode Fuzzy Hash: 55c2d98d8738af39984254709d5a8a0f51688a5397d0e75cf9faf7f45bfb003f
                                                            • Instruction Fuzzy Hash: 1421D770514209EBCB19FF64D849BACB7B9FF85314F14822AF5295A2D0CB749684DBC1
                                                            Function 009803E5 Relevance: 13.7, APIs: 9, Instructions: 185COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 699 9803e5-9803f2 700 9803fe-980406 699->700 701 9803f4-9803f9 call 9816be 699->701 703 980418-98041e 700->703 704 980408 call 97e3d9 700->704 701->700 707 9804f3-9804f6 703->707 708 980424-98044f call 97ff04 703->708 711 98040d-980412 704->711 709 9804fc-980521 call 97ff04 707->709 710 9805a7-9805ba 707->710 719 9804c8-9804da 708->719 720 980451-980454 708->720 724 980523-980527 709->724 725 980574-980586 709->725 714 9805bc-9805c2 710->714 715 9805c4-9805dc call 97e3d9 call 97fc36 710->715 711->703 718 9805de-9805e2 714->718 715->718 722 9805ec-9805f4 718->722 723 9805e4-9805ea 718->723 728 9804dc 719->728 729 9804e2-9804ee 719->729 726 980496-980499 720->726 727 980456-98045a 720->727 733 9805fe-980606 722->733 723->722 723->723 736 980529-980534 call 97e371 724->736 737 98054a-98054e 724->737 734 980588 725->734 735 98058e-980594 725->735 738 98049b-9804ae call 97e3a0 726->738 739 9804b4-9804c3 726->739 740 98045d-980468 call 97e3a0 727->740 728->729 732 98059a-98059e 729->732 732->733 746 9805a0-9805a5 call 97e4f0 732->746 743 980618-980623 733->743 744 980608-980617 call 96a64a * 2 733->744 734->735 735->732 762 980536-980537 736->762 763 980547 736->763 749 980560-98056f 737->749 750 980550-98055d call 97e371 737->750 738->739 765 9804b0-9804b1 738->765 739->720 748 9804c5 739->748 759 98046a-98046b 740->759 760 98047b-98048b 740->760 744->743 746->733 748->719 749->724 752 980571 749->752 750->749 766 98055f 750->766 752->725 767 98046d-980473 759->767 760->740 768 98048d-980493 760->768 770 980539-98053f 762->770 763->737 765->739 766->749 767->767 771 980475-980478 767->771 768->726 770->770 773 980541-980544 770->773 771->760 773->763
                                                            APIs
                                                            • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCMT ref: 00980408
                                                            • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCMT ref: 00980429
                                                            • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0098045E
                                                            • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0098049F
                                                            • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 009805A0
                                                              • Part of subcall function 009816BE: GetVersionExW.KERNEL32(?), ref: 009816E2
                                                              • Part of subcall function 009816BE: Concurrency::details::WinRT::Initialize.LIBCMT ref: 00981779
                                                            • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCMT ref: 00980501
                                                            • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0098052A
                                                              • Part of subcall function 0097E371: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0097E392
                                                            • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00980551
                                                            • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCMT ref: 009805C4
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$Manager::Resource$Affinity$ApplyRestrictions$InformationTopology$CaptureProcess$CleanupInitializeVersion
                                                            • String ID:
                                                            • API String ID: 3944362921-0
                                                            • Opcode ID: cd679ffe059491388e32b62991dc834e28b271c8a812da63714440edd766f2f1
                                                            • Instruction ID: ac27846580e59d2f2b54c62f946c1e04fd1c9da770539a153fbc008270859938
                                                            • Opcode Fuzzy Hash: cd679ffe059491388e32b62991dc834e28b271c8a812da63714440edd766f2f1
                                                            • Instruction Fuzzy Hash: 3161BF72919215DFCB58EF65D890BBCB7B4BBC4310F28806EE445A7350EB349948EF64
                                                            Function 0094DE80 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 203COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 774 94de80-94deda call 925530 call 96963d 779 94dee5-94def1 774->779 780 94dedc-94dee2 call 969687 774->780 782 94df07-94df2c call 925530 779->782 783 94def3-94df02 call 925530 779->783 780->779 793 94df3c-94df4a 782->793 794 94df2e-94df36 782->794 789 94e060-94e066 783->789 791 94e07e-94e084 789->791 792 94e068-94e06d 789->792 796 94e086-94e08a call 9504a0 791->796 797 94e08f-94e0ae call 925530 call 969666 791->797 795 94e06f-94e077 792->795 798 94df73-94df79 793->798 799 94df4c-94df53 793->799 794->793 795->795 800 94e079-94e07b 795->800 796->797 816 94e0b0-94e0b6 call 969687 797->816 817 94e0b9-94e0cb 797->817 805 94df9e-94dfa7 call 95e720 798->805 806 94df7b-94df82 798->806 803 94df55-94df67 799->803 804 94df70 799->804 800->791 803->798 814 94df69-94df6b 803->814 804->798 810 94dfa9-94dfc2 call 96a66e 805->810 806->805 808 94df84-94df95 806->808 808->805 818 94df97-94df99 808->818 822 94dfc4-94dfd5 call 9507c0 810->822 823 94dfd7 810->823 814->804 816->817 818->805 825 94dfd9-94dfff call 925530 call 96963d 822->825 823->825 831 94e001-94e007 call 969687 825->831 832 94e00a-94e019 825->832 831->832 834 94e041-94e055 call 969666 832->834 835 94e01b-94e01e 832->835 834->789 841 94e057-94e05d call 969687 834->841 837 94e020-94e02c call 96a087 835->837 844 94e037-94e03c 837->844 845 94e02e-94e034 call 969687 837->845 841->789 844->837 848 94e03e 844->848 845->844 848->834
                                                            APIs
                                                              • Part of subcall function 0096963D: mtx_do_lock.LIBCPMT ref: 00969645
                                                            • __Mtx_unlock.LIBCPMT ref: 0094E04B
                                                            • __Mtx_unlock.LIBCPMT ref: 0094E0A4
                                                              • Part of subcall function 00969687: std::_Throw_Cpp_error.LIBCPMT ref: 009696AE
                                                            Strings
                                                            • Win32Bus::lazyStart waiting, xrefs: 0094DFD9
                                                            • Win32Bus::lazyStart already started, xrefs: 0094DEF3
                                                            • Win32Bus::lazyStart enter, xrefs: 0094DEB8
                                                            • Win32Bus::lazyStart performing startup, xrefs: 0094DF07
                                                            • Win32Bus::lazyStart exit, xrefs: 0094E08F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Mtx_unlock$Cpp_errorThrow_mtx_do_lockstd::_
                                                            • String ID: Win32Bus::lazyStart already started$Win32Bus::lazyStart enter$Win32Bus::lazyStart exit$Win32Bus::lazyStart performing startup$Win32Bus::lazyStart waiting
                                                            • API String ID: 994104373-1468356143
                                                            • Opcode ID: 4e982f81e6eb5dfb0b33b5974a57b4e9933024e0c37ee3fdf43135b23ffc96b8
                                                            • Instruction ID: 5bc8c5e8b60cd0a2c15f7b8bbeb7fb8df2e338165ddb2dcef7ac0ebb28f0254e
                                                            • Opcode Fuzzy Hash: 4e982f81e6eb5dfb0b33b5974a57b4e9933024e0c37ee3fdf43135b23ffc96b8
                                                            • Instruction Fuzzy Hash: 637105B1A053409FDB14DF24C845F66BBE8BF85314F04066CF9569B292EB71E905CBA2
                                                            Function 008F1B30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • LoadIconW.USER32(?,0000006B), ref: 008F1B69
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 008F1B79
                                                            • LoadIconW.USER32(?,0000006C), ref: 008F1B9C
                                                            • RegisterClassExW.USER32(00000030), ref: 008F1BA9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ClassCursorRegister
                                                            • String ID: 0$LDEVICEDETECTIONHELPER$m
                                                            • API String ID: 4202395251-297299717
                                                            • Opcode ID: 1fe522eb465bc78615946d3753584a7c162ce8b40e45888e734bf5607169ff82
                                                            • Instruction ID: 3c2faaa33a72042a057fdaf08f5589b04f047323565adc5c9d4da9d37787bc03
                                                            • Opcode Fuzzy Hash: 1fe522eb465bc78615946d3753584a7c162ce8b40e45888e734bf5607169ff82
                                                            • Instruction Fuzzy Hash: 2001E2B0D1520CEBDF00DFA4E9597EEBBF4BF08304F104159E915BA280D7BA46149F94
                                                            Function 008F1BC0 Relevance: 10.6, APIs: 7, Instructions: 97windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 008F1BFE
                                                            • DefWindowProcW.USER32(?,00000111,?,?), ref: 008F1C2E
                                                            • BeginPaint.USER32(?,?), ref: 008F1C91
                                                            • EndPaint.USER32(?,?), ref: 008F1C9D
                                                            • PostQuitMessage.USER32(00000000), ref: 008F1CB9
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: PaintProcWindow$BeginMessagePostQuit
                                                            • String ID:
                                                            • API String ID: 3181456275-0
                                                            • Opcode ID: d3b06148a69a1d7b1b64bf2e302c8a1a9bd6f3a122469f003fdd1a9908770ea1
                                                            • Instruction ID: 77f8215d807a702db0ac51b079f8db8d45af4ed6ac4ae4020df5d7c8450f3870
                                                            • Opcode Fuzzy Hash: d3b06148a69a1d7b1b64bf2e302c8a1a9bd6f3a122469f003fdd1a9908770ea1
                                                            • Instruction Fuzzy Hash: F021C87125450CABCB14DF38DC4BBBB77A8FF8A310F40050AF956D61D1DA619821D7D2
                                                            Function 00934830 Relevance: 7.9, APIs: 5, Instructions: 424COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1058 934830-934878 call 96963d 1061 934883-93488e 1058->1061 1062 93487a-934880 call 969687 1058->1062 1064 934890-93489b 1061->1064 1065 9348ee-9348fd 1061->1065 1062->1061 1069 934992 call 969317 1064->1069 1070 9348a1-9348ae 1064->1070 1067 934903-934967 call 8f2000 call 8f5d50 call 96a66e 1065->1067 1068 934a5f-934a6e call 969666 1065->1068 1112 934acb-934b24 call 9692e6 1067->1112 1113 93496d-93498b 1067->1113 1083 934a70-934a76 call 969687 1068->1083 1084 934a79-934a82 1068->1084 1074 934997-934999 1069->1074 1081 9348b0-9348b7 1070->1081 1082 9348ea-9348ec 1070->1082 1078 93499b-9349b1 1074->1078 1079 9349cc 1074->1079 1099 9349d6-934a00 call 8f3000 1078->1099 1104 9349b3-9349ca 1078->1104 1088 9349cf 1079->1088 1090 9348b9-9348c1 1081->1090 1091 9348cf-9348d6 1081->1091 1082->1064 1082->1065 1083->1084 1086 934a84-934a95 1084->1086 1087 934a9c-934aa0 1084->1087 1086->1087 1097 934aa2-934aaa call 96a64a 1087->1097 1098 934aad-934ac8 call 96a63b 1087->1098 1088->1099 1090->1082 1092 9348c3-9348cb 1090->1092 1094 9348e8 1091->1094 1095 9348d8-9348db 1091->1095 1092->1092 1101 9348cd 1092->1101 1094->1082 1095->1094 1102 9348dd-9348e6 1095->1102 1097->1098 1117 934a13-934a17 1099->1117 1118 934a02-934a0f 1099->1118 1101->1082 1102->1094 1102->1095 1104->1088 1122 934b2a-934b38 call 96963d 1112->1122 1123 934bdd-934be0 1112->1123 1113->1074 1114 93498d-934990 1113->1114 1114->1099 1119 934a57-934a59 1117->1119 1120 934a19-934a20 1117->1120 1118->1117 1119->1067 1119->1068 1124 934a22-934a2a 1120->1124 1125 934a3c-934a43 1120->1125 1139 934b43-934b75 call 8f3d10 call 8f4050 call 969666 1122->1139 1140 934b3a-934b40 call 969687 1122->1140 1130 934cb0-934cb4 1123->1130 1131 934be6-934bf4 call 96963d 1123->1131 1124->1119 1127 934a2c 1124->1127 1128 934a55 1125->1128 1129 934a45-934a48 1125->1129 1135 934a30-934a38 1127->1135 1128->1119 1129->1128 1136 934a4a-934a53 1129->1136 1133 934cc1-934cde call 96a63b 1130->1133 1134 934cb6-934cbe call 96a64a 1130->1134 1144 934bf6-934bfc call 969687 1131->1144 1145 934bff-934c31 call 8f3d10 call 8f4050 call 969666 1131->1145 1134->1133 1135->1135 1142 934a3a 1135->1142 1136->1128 1136->1129 1164 934b80-934b84 1139->1164 1165 934b77-934b7d call 969687 1139->1165 1140->1139 1142->1119 1144->1145 1167 934c33-934c39 call 969687 1145->1167 1168 934c3c-934c40 1145->1168 1164->1130 1166 934b8a-934b92 1164->1166 1165->1164 1201 934b94 call 947c30 1166->1201 1202 934b94 call 945860 1166->1202 1203 934b94 call 94eac0 1166->1203 1167->1168 1168->1130 1171 934c42-934c52 1168->1171 1171->1130 1177 934c54-934c62 call 96963d 1171->1177 1173 934b96-934b9a 1173->1130 1176 934ba0-934bae call 96963d 1173->1176 1182 934bb0-934bb6 call 969687 1176->1182 1183 934bb9-934bd8 call 8f4430 1176->1183 1184 934c64-934c6a call 969687 1177->1184 1185 934c6d-934c8a call 8f4430 1177->1185 1182->1183 1194 934c8c-934ca5 call 969666 1183->1194 1184->1185 1185->1194 1194->1130 1198 934ca7-934cad call 969687 1194->1198 1198->1130 1201->1173 1202->1173 1203->1173
                                                            APIs
                                                              • Part of subcall function 0096963D: mtx_do_lock.LIBCPMT ref: 00969645
                                                              • Part of subcall function 00969687: std::_Throw_Cpp_error.LIBCPMT ref: 009696AE
                                                            • __Mtx_unlock.LIBCPMT ref: 00934A64
                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00934ACB
                                                            • __Mtx_unlock.LIBCPMT ref: 00934B6B
                                                            • __Mtx_unlock.LIBCPMT ref: 00934C27
                                                            • __Mtx_unlock.LIBCPMT ref: 00934C9B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Mtx_unlock$Concurrency::details::_Concurrent_queue_base_v4::_Cpp_errorInternal_throw_exceptionThrow_mtx_do_lockstd::_
                                                            • String ID:
                                                            • API String ID: 1160676196-0
                                                            • Opcode ID: 5d9c37b9b7e5b686c580d1a09d799d5f57c6e3961e62abcfcb150efb1f7bb0e1
                                                            • Instruction ID: b485faf48f21f22dfa05340bca91a6be5da5b99c1e25d804515935fa7f55bc3b
                                                            • Opcode Fuzzy Hash: 5d9c37b9b7e5b686c580d1a09d799d5f57c6e3961e62abcfcb150efb1f7bb0e1
                                                            • Instruction Fuzzy Hash: 22F1E1B1D002499FDB10DF64C945BAEBBF8EF44304F1981A9E815A7291E735EE44CFA2
                                                            Function 04E57CA5 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: dllmain_raw$dllmain_crt_dispatch
                                                            • String ID:
                                                            • API String ID: 3136044242-0
                                                            • Opcode ID: 7c19b6d3fde62034a014868677f0dc298824dec467bdaefec8ffb93fc138a704
                                                            • Instruction ID: 98aab6132c02a179b6067cec7a538966b5ede8f48aa529880f9f9a4fc77761a8
                                                            • Opcode Fuzzy Hash: 7c19b6d3fde62034a014868677f0dc298824dec467bdaefec8ffb93fc138a704
                                                            • Instruction Fuzzy Hash: 5C21B571E00619AFDB219F15CC40DBF7A79EB85BA8F056116FC1967230D7306D618BA0
                                                            Function 008F2A00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0096963D: mtx_do_lock.LIBCPMT ref: 00969645
                                                            • __Mtx_unlock.LIBCPMT ref: 008F2B9F
                                                            • __Mtx_unlock.LIBCPMT ref: 008F2AE1
                                                              • Part of subcall function 00969687: std::_Throw_Cpp_error.LIBCPMT ref: 009696AE
                                                            Strings
                                                            • CDevio::getimpl creating cdevio DeviceManager, xrefs: 008F2B1F
                                                            • CDevio::getimpl retuning nullptr due to shutdown, xrefs: 008F2A7A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Mtx_unlock$Cpp_errorThrow_mtx_do_lockstd::_
                                                            • String ID: CDevio::getimpl creating cdevio DeviceManager$CDevio::getimpl retuning nullptr due to shutdown
                                                            • API String ID: 994104373-1345756949
                                                            • Opcode ID: 0fc016f7504b69b172313469e77effd5e4c1261bdceda7c9a6baaf1e3b5a3d2e
                                                            • Instruction ID: 3ae5d4b3b953d7c066874916d04e9c1bc3259c81f8810c0b18c99d2d4d7ce04e
                                                            • Opcode Fuzzy Hash: 0fc016f7504b69b172313469e77effd5e4c1261bdceda7c9a6baaf1e3b5a3d2e
                                                            • Instruction Fuzzy Hash: D6518AB16087059FD710CF24C944B6AFBE8FF88324F04462DE95997390EB75E908CB92
                                                            Function 0096A66E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _malloc.LIBCMT ref: 0096A686
                                                              • Part of subcall function 0096F861: __FF_MSGBANNER.LIBCMT ref: 0096F878
                                                              • Part of subcall function 0096F861: __NMSG_WRITE.LIBCMT ref: 0096F87F
                                                              • Part of subcall function 0096F861: RtlAllocateHeap.NTDLL(00E30000,00000000,00000001,?,?,?,?,0096A68B,?), ref: 0096F8A4
                                                            • std::exception::exception.LIBCMT ref: 0096A6A2
                                                            • __CxxThrowException@8.LIBCMT ref: 0096A6B7
                                                              • Part of subcall function 0096DA4B: RaiseException.KERNEL32(?,?,00000000,009CE810,?,?,?,0096A6BC,00000000,009CE810,00000000,00000001), ref: 0096DA9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                            • String ID: bad allocation
                                                            • API String ID: 3074076210-2104205924
                                                            • Opcode ID: 457f3bf50c228bd8c8053dd596a43da5a6c79ef82b41ad4dd3b94c3eb1f1b56b
                                                            • Instruction ID: 7d117a37991d36aa946e2a32befbaad1ba4d3bbc7fdbbb1b5a3fdec3bda308c4
                                                            • Opcode Fuzzy Hash: 457f3bf50c228bd8c8053dd596a43da5a6c79ef82b41ad4dd3b94c3eb1f1b56b
                                                            • Instruction Fuzzy Hash: B1E06D7550020AAADF00FBA4DC22AEE77BCBF81704F548965A511B5082EFB0DA449AA2
                                                            Function 0097A087 Relevance: 6.0, APIs: 4, Instructions: 39COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0097A5E3: TlsGetValue.KERNEL32(0097A096,00000000,?,00000000,?,?,?,?,?,?,0096E74F,000000FF,009E2698,?), ref: 0097A5E9
                                                            • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCMT ref: 0097A0AA
                                                              • Part of subcall function 009916E9: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCMT ref: 00991710
                                                              • Part of subcall function 009916E9: Concurrency::details::InternalContextBase::PrepareForUse.LIBCMT ref: 00991727
                                                              • Part of subcall function 009916E9: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCMT ref: 0099178A
                                                              • Part of subcall function 009916E9: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCMT ref: 00991792
                                                            • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 0097A0C2
                                                            • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0097A0CC
                                                            • __CxxThrowException@8.LIBCMT ref: 0097A0EA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::Context$Base::$Internal$Scheduler$AvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushThrowValueVirtualWork
                                                            • String ID:
                                                            • API String ID: 848655144-0
                                                            • Opcode ID: afd28d489cfddd221e796fb757f37dba659821a84fd9c70ff59bbdbd920fb56c
                                                            • Instruction ID: e5fa759699de36d414d6fd3cbdc49e14f62736e49f5ee1312acef30b8992575d
                                                            • Opcode Fuzzy Hash: afd28d489cfddd221e796fb757f37dba659821a84fd9c70ff59bbdbd920fb56c
                                                            • Instruction Fuzzy Hash: 9AF0B433A0451867CE15B6698813B6DF76D9FD1B50B04C52AF41593152EF74DE0687C3
                                                            Function 04DD45A6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 264threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00000400,00000000,00000000,00000000), ref: 04DD4757
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID: aCkg$zjoi
                                                            • API String ID: 2422867632-902515428
                                                            • Opcode ID: 185006051b7996125abf99483e8087bbb6d4a870502110a4e7cb25d8b7232448
                                                            • Instruction ID: 1a21cbe53c7170ee19c3721c647262226185101a1ca9d05dfdfd1b74507cc879
                                                            • Opcode Fuzzy Hash: 185006051b7996125abf99483e8087bbb6d4a870502110a4e7cb25d8b7232448
                                                            • Instruction Fuzzy Hash: BE9139743097819FDB18DA28C5D02AEBBE2EFD6314F289A1DD0D647394D630A8098B92
                                                            Function 10010DA4 Relevance: 5.1, APIs: 3, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memmove.MSVCRT(?,?,00000008), ref: 100111FF
                                                            • memmove.MSVCRT(?,?,00000008), ref: 10011222
                                                            • GetFileAttributesW.KERNELBASE(?), ref: 1001169E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: memmove$AttributesFile
                                                            • String ID:
                                                            • API String ID: 3488883208-0
                                                            • Opcode ID: 393d68388f28362f2724fce5562d2b68e884e2862c22717d5fa5b97a1c0e2b7d
                                                            • Instruction ID: 188719590380a844a36fb23768b1f933b7d72df5dde450fc3f8b063604681a04
                                                            • Opcode Fuzzy Hash: 393d68388f28362f2724fce5562d2b68e884e2862c22717d5fa5b97a1c0e2b7d
                                                            • Instruction Fuzzy Hash: F642C3B5F041589FEB98CBA8D891BAD77B5FB08300F148469F50AEB391E634ED84CB51
                                                            Function 10010DA3 Relevance: 5.1, APIs: 3, Instructions: 583COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9b0a5c47e68f9c25bb9c22b0624f3dba71faa9fc8732119288908e27f6f0763
                                                            • Instruction ID: 540ef934cdaff0dd5b908b3dfab6054eac2773d6b10e53b0462d40fb94d822da
                                                            • Opcode Fuzzy Hash: d9b0a5c47e68f9c25bb9c22b0624f3dba71faa9fc8732119288908e27f6f0763
                                                            • Instruction Fuzzy Hash: A832C4B5E041589FEB98CBA8DC91BAD77F5EB09300F148468F50AEB391E634ED84CB51
                                                            Function 10010A74 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memmove.MSVCRT(?,1001E9D0,00000010), ref: 10010AAD
                                                            • memmove.MSVCRT(1001E9D0,?,00000010), ref: 10010AF8
                                                            • memmove.MSVCRT(?,1001E9D0,00000010), ref: 10010B10
                                                            • memmove.MSVCRT(10010B51,?,00000010), ref: 10010B34
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: memmove
                                                            • String ID:
                                                            • API String ID: 2162964266-0
                                                            • Opcode ID: a4e70cf115cb7a04fcae93bbf5b46bde98e529300b6d6175b06c053bd0432276
                                                            • Instruction ID: 487aaad323c07900bc9ce3e3c7fb514acddcd6e5e2070f4f0982a15122708d89
                                                            • Opcode Fuzzy Hash: a4e70cf115cb7a04fcae93bbf5b46bde98e529300b6d6175b06c053bd0432276
                                                            • Instruction Fuzzy Hash: DD115EF1E1424896DB00D6E89C16BEF366CDB14304F440829F485EF282FDB9F99853E6
                                                            Function 1001338A Relevance: 4.7, APIs: 3, Instructions: 226windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(00000080,?,00CF0000,00CF0000,00FFEC78,?,?,?,?,?,?,?), ref: 1001358D
                                                            • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 10013601
                                                            • DispatchMessageW.USER32(?), ref: 10013680
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: CallbackCreateDispatchDispatcherMessageUserWindow
                                                            • String ID:
                                                            • API String ID: 534503920-0
                                                            • Opcode ID: e479233eb509b7e01557353a193526601c834b994e1ae726b2cfb9c8457815c5
                                                            • Instruction ID: dc67adcfb7311b81c226aac6c319e60191da461bd35f48247270bb5aff0e8e82
                                                            • Opcode Fuzzy Hash: e479233eb509b7e01557353a193526601c834b994e1ae726b2cfb9c8457815c5
                                                            • Instruction Fuzzy Hash: DB8162B5E052589FEBA4CBECC881B9E77F8EB08300F148029F519EB351E635ED458B55
                                                            Function 10010709 Relevance: 3.9, APIs: 3, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memmove.MSVCRT(?,?,00000010), ref: 100107C3
                                                            • memmove.MSVCRT(?,?,00000010), ref: 1001083C
                                                            • memmove.MSVCRT(10010AE5,?,00000010), ref: 1001088D
                                                              • Part of subcall function 1000A12E: exit.MSVCRT ref: 1000A179
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: memmove$exit
                                                            • String ID:
                                                            • API String ID: 987259897-0
                                                            • Opcode ID: 13f6236e8001f84d8d50cc28138ab8ed8a9d094c7e892a25910079192244be29
                                                            • Instruction ID: 2dc59664bfea09c3a17224cb3d5dd87a2c2825d05b954e2f745e99ba9abf3260
                                                            • Opcode Fuzzy Hash: 13f6236e8001f84d8d50cc28138ab8ed8a9d094c7e892a25910079192244be29
                                                            • Instruction Fuzzy Hash: 404186B5E081489BDB11D6E8C841BEF76BCDB18300F04052AF484FF282E5B9E9D487B2
                                                            Function 04E57AEE Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __RTC_Initialize.LIBCMT ref: 04E57B3B
                                                              • Part of subcall function 04E57FAD: RtlInitializeSListHead.NTDLL(04E731E8), ref: 04E57FB2
                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 04E57BA5
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                            • String ID:
                                                            • API String ID: 3231365870-0
                                                            • Opcode ID: 2f89ed137fdc01fa92b12b056b86aeea17a955644abbf003641bdd6de4d447a4
                                                            • Instruction ID: a040cbd6423055574dfe19ba5f7c9034fb21c128c66c754fc1e89b2cb5478c75
                                                            • Opcode Fuzzy Hash: 2f89ed137fdc01fa92b12b056b86aeea17a955644abbf003641bdd6de4d447a4
                                                            • Instruction Fuzzy Hash: 992136316843159FFB94BBB4A4017ED3BA2AF113ADF00B21ADD41272E1CB713564CA66
                                                            Function 0097E808 Relevance: 3.0, APIs: 2, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0097E870
                                                            • Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 0097E87D
                                                              • Part of subcall function 0097CA99: _SpinWait.LIBCMT ref: 0097CAB9
                                                              • Part of subcall function 0096A66E: _malloc.LIBCMT ref: 0096A686
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: AcquireConcurrency::details::_H_prolog3Lock::_ReentrantSpinWait_malloc
                                                            • String ID:
                                                            • API String ID: 2268652638-0
                                                            • Opcode ID: b34f20281f5fcdda21a952c7990b37febdba2502c8b7e42f7cda161597e73b13
                                                            • Instruction ID: 60a87dcbdd9cca09347fb40c225d9c0b9bad6b14a9b55f4cc6ba28b85536d54f
                                                            • Opcode Fuzzy Hash: b34f20281f5fcdda21a952c7990b37febdba2502c8b7e42f7cda161597e73b13
                                                            • Instruction Fuzzy Hash: 6D019232A09205EFDB24EBFCA5457AD66E46F8D304F1484BDE40AEB382DE344E409792
                                                            Function 0097E80D Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0097E814
                                                              • Part of subcall function 0096A66E: _malloc.LIBCMT ref: 0096A686
                                                            • Concurrency::details::SchedulerProxy::SchedulerProxy.LIBCMT ref: 0097E84C
                                                              • Part of subcall function 00995A62: __EH_prolog3.LIBCMT ref: 00995A69
                                                              • Part of subcall function 00995A62: GetCurrentThread.KERNEL32 ref: 00995B41
                                                              • Part of subcall function 00995A62: GetThreadPriority.KERNEL32(00000000), ref: 00995B48
                                                              • Part of subcall function 00995A62: Concurrency::details::ResourceManager::GetCoreCount.LIBCMT ref: 00995B61
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::H_prolog3SchedulerThread$CoreCountCurrentManager::PriorityProxyProxy::Resource_malloc
                                                            • String ID:
                                                            • API String ID: 2565426395-0
                                                            • Opcode ID: cb108e9dbcf29cdf62493fafee3846a66075601b94eb8edf178ab28636934ff0
                                                            • Instruction ID: f507f72bbca850d5277f186d5419518c5425fce4234cbced72d9ac027fcb3cc7
                                                            • Opcode Fuzzy Hash: cb108e9dbcf29cdf62493fafee3846a66075601b94eb8edf178ab28636934ff0
                                                            • Instruction Fuzzy Hash: 48F0B471A04208EBDB04EBF8C855B9EBBA4AF54750F088219B409DB2C1EB708F41CB95
                                                            Function 0097A4A6 Relevance: 3.0, APIs: 2, Instructions: 16threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0098E666: std::bad_exception::bad_exception.LIBCMT ref: 0098E69B
                                                              • Part of subcall function 0098E666: __CxxThrowException@8.LIBCMT ref: 0098E6A9
                                                            • Concurrency::details::SchedulerBase::CheckStaticConstruction.LIBCMT ref: 0097A4B1
                                                              • Part of subcall function 0097A1D7: __EH_prolog3.LIBCMT ref: 0097A1DE
                                                              • Part of subcall function 0097A1D7: Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 0097A1EB
                                                            • Concurrency::details::ThreadScheduler::Create.LIBCMT ref: 0097A4B9
                                                              • Part of subcall function 00993DB2: __EH_prolog3.LIBCMT ref: 00993DB9
                                                              • Part of subcall function 00993DB2: Concurrency::details::ThreadScheduler::ThreadScheduler.LIBCMT ref: 00993DDA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::Thread$H_prolog3SchedulerScheduler::$AcquireBase::CheckConcurrency::details::_ConstructionCreateException@8Lock::_ReentrantStaticThrowstd::bad_exception::bad_exception
                                                            • String ID:
                                                            • API String ID: 3422515427-0
                                                            • Opcode ID: e6fcedd4bf78c254c0f43dfd302491c09ebb4ab2e01881587aa67e2aee81724c
                                                            • Instruction ID: 003317403e3fd3cc64e7c468f5bb58f0ae2f2a4a0f0d6f0106c3c449330a6ee1
                                                            • Opcode Fuzzy Hash: e6fcedd4bf78c254c0f43dfd302491c09ebb4ab2e01881587aa67e2aee81724c
                                                            • Instruction Fuzzy Hash: 25C0123315410D169E107AA8FC1267D375C5BC0260B448021FC0C896A1EE25E9909561
                                                            Function 04E5CAA6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 04E5CAE7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784430480.0000000004DD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DD1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_4dd1000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 8dd0c156f6d59f46fb140be3d15fe90632db014c830f3bf8b721176bb0f23330
                                                            • Instruction ID: 270e1818a08155190b66bd5f5441ae10927a5acca2f32ac97f10a0b728c8bd08
                                                            • Opcode Fuzzy Hash: 8dd0c156f6d59f46fb140be3d15fe90632db014c830f3bf8b721176bb0f23330
                                                            • Instruction Fuzzy Hash: F7F0E035245324BBE721DB32DC24A5A7F48EF41779B247121EC46F61B6DA70F800D2E0
                                                            Function 10009C62 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(00000000,?,?,100136F6,?,?,10013741), ref: 10009C89
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: a79418b16b3923f9f2aa2de0941e137c1de688f58f90d08883f3e889b3b4a432
                                                            • Instruction ID: 4cc8a05590fc551b87164602cea24276bbbb133b00760f41cdd63dd6178cefda
                                                            • Opcode Fuzzy Hash: a79418b16b3923f9f2aa2de0941e137c1de688f58f90d08883f3e889b3b4a432
                                                            • Instruction Fuzzy Hash: 37E026B4E01209AFDB40DFB8D545B8EBAF8EB09244F5040A5A448EB341E635EA449B91
                                                            Function 1000CA80 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(00000000), ref: 1000CAA7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 7397274668bb11ed8a7859a7d89362e36e89374d79a514b5d9fec236ede3a02e
                                                            • Instruction ID: 9928524e8997be6eed0b0c4da7192eeeba4e69c693685ab7a03e6859788aec8e
                                                            • Opcode Fuzzy Hash: 7397274668bb11ed8a7859a7d89362e36e89374d79a514b5d9fec236ede3a02e
                                                            • Instruction Fuzzy Hash: 18E026B4E0120CAFDB40DFB8D555B8EBAF8EB09244F5040A5A448EB341E635EA449B91
                                                            Function 10013762 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NimMain.HID(?,1001495F,?,?,?), ref: 10013778
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Main
                                                            • String ID:
                                                            • API String ID: 521822810-0
                                                            • Opcode ID: eee0461ee4cf42c1343d4532c7b99a9283a4f92fe6e499f90b07e72f61d5f2bd
                                                            • Instruction ID: 9a69a69d327b0bccd164071577cc9ba4256b0052a10373321c995ae94e92ba48
                                                            • Opcode Fuzzy Hash: eee0461ee4cf42c1343d4532c7b99a9283a4f92fe6e499f90b07e72f61d5f2bd
                                                            • Instruction Fuzzy Hash: 6CC092B968814857D320E668D146F4E73D8E712358F90C520E891DB2C1D6B9EC9986E6
                                                            Function 0096963D Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • mtx_do_lock.LIBCPMT ref: 00969645
                                                              • Part of subcall function 00969436: GetCurrentThreadId.KERNEL32 ref: 00969465
                                                              • Part of subcall function 00969436: Concurrency::critical_section::lock.LIBCMT ref: 0096946F
                                                              • Part of subcall function 00969436: GetCurrentThreadId.KERNEL32 ref: 00969474
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1783021971.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                            • Associated: 00000002.00000002.1782978926.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783117717.00000000009A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783257820.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783275995.00000000009DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783291990.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783305365.00000000009E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783318707.00000000009EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783372490.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783389024.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.00000000009FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.1783419263.0000000000A88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_8f0000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: CurrentThread$Concurrency::critical_section::lockmtx_do_lock
                                                            • String ID:
                                                            • API String ID: 3783503772-0
                                                            • Opcode ID: 77012dcc7c5a458bee7e84217555ee53710cb43767758ceedaf1f6d14c711e1b
                                                            • Instruction ID: 7ab52d3407ee04bec65c03b9be5fd34ce6d8342c61969b7a661ef40161ec46cc
                                                            • Opcode Fuzzy Hash: 77012dcc7c5a458bee7e84217555ee53710cb43767758ceedaf1f6d14c711e1b
                                                            • Instruction Fuzzy Hash: 9FB0123204C30C3AE9242653FC03B043B8CC740670E604016F50C081E16D637851008C
                                                            Function 1000FAB0 Relevance: 1.4, APIs: 1, Instructions: 168stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpi
                                                            • String ID:
                                                            • API String ID: 1586166983-0
                                                            • Opcode ID: d933f491d16957463911e936a6b6d13cc2059d35ba7fe8bcb54cf691b674e269
                                                            • Instruction ID: ca7bbb57a06104312b1ef33509a402202c083bbc75f2d1b29e938486518af983
                                                            • Opcode Fuzzy Hash: d933f491d16957463911e936a6b6d13cc2059d35ba7fe8bcb54cf691b674e269
                                                            • Instruction Fuzzy Hash: 3C51D6B1E041099FEB50CFA8C991BAEB7B4EF08340F244429E415EB785D638AA40EB65
                                                            Function 1000ACDC Relevance: 1.3, APIs: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000004,00000004,00003000,00000004,1000445E), ref: 1000AD04
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 910090c5759a44d4d51707e254fab85e236fafe18cb647e3ddba5b944b8a2fd0
                                                            • Instruction ID: 7dd3b44d8606867c633242ab4066b12f2a3b9c8a10ad2c88f87f889e02634181
                                                            • Opcode Fuzzy Hash: 910090c5759a44d4d51707e254fab85e236fafe18cb647e3ddba5b944b8a2fd0
                                                            • Instruction Fuzzy Hash: 83E0ECB4A01108FBEB90DBECD941B8E76ECDB05344F204065B509F7384D638EE809B65
                                                            Function 10010B3E Relevance: 1.3, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10010A74: memmove.MSVCRT(?,1001E9D0,00000010), ref: 10010AAD
                                                              • Part of subcall function 10010A74: memmove.MSVCRT(?,1001E9D0,00000010), ref: 10010B10
                                                              • Part of subcall function 10010A74: memmove.MSVCRT(10010B51,?,00000010), ref: 10010B34
                                                            • memmove.MSVCRT(1001E9C0,?,00000010,?,?,?,?,100134EB), ref: 10010B64
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1785905243.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000002.00000002.1785882178.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785925566.0000000010015000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785942469.000000001001E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000002.00000002.1785957907.000000001001F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_10000000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: memmove
                                                            • String ID:
                                                            • API String ID: 2162964266-0
                                                            • Opcode ID: 5eaef68e35d95d15862207dab3aec2df6717d21996db2b47c1777a73ef0a9530
                                                            • Instruction ID: e49b7a3a0d52bd9b7ee0b143c83fdea0914f18595f984660afd969eff975b152
                                                            • Opcode Fuzzy Hash: 5eaef68e35d95d15862207dab3aec2df6717d21996db2b47c1777a73ef0a9530
                                                            • Instruction Fuzzy Hash: D3D0C7F5D0014C67DB00E5E49C06B9F725C9705304F450D357555DB251F9B5F55842D6

                                                            Non-executed Functions

                                                            Function 02CA66FC Relevance: 51.5, Strings: 39, Instructions: 2704COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *0Fh$*0Fh$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$-?m$M$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$i$k^$k^$o
                                                            • API String ID: 0-1383934659
                                                            • Opcode ID: 0b61bda6f6cdc37043ba6f4078b02478b4e3bafc0a71202d9e1a34abace5fe76
                                                            • Instruction ID: 28adc151aa1be6bf407efa7ad06a2630104f0522f71ea37999cd1532506bc71f
                                                            • Opcode Fuzzy Hash: 0b61bda6f6cdc37043ba6f4078b02478b4e3bafc0a71202d9e1a34abace5fe76
                                                            • Instruction Fuzzy Hash: 30332930E0569B8BCF188A6888F52FEBBB1BF8531CF28864AC45677355DB318945CF52
                                                            Function 02C9FEB6 Relevance: 47.9, Strings: 36, Instructions: 2944COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ($/$0X5$0X5$8$D$Ednh$J 3$J 3$P$Sfv@$WjlM$f$gfr^$gfr^lpvw$in$j$lpvw$lpvw$mig}$p=_ $p=_ $p=_ $p=_ $p=_ $p=_ $u"H}$u"H}$u"H}$vui{$z$:I$:I$N~B$N~B$N~B
                                                            • API String ID: 0-1900293654
                                                            • Opcode ID: 0ae28715f651d37683b73742b6684db854492541f427b6103344b33e6905fb98
                                                            • Instruction ID: 34f39d21c9da43dcf956d3a07d8a614ca0f228de680667d1b9265c9d17f85f31
                                                            • Opcode Fuzzy Hash: 0ae28715f651d37683b73742b6684db854492541f427b6103344b33e6905fb98
                                                            • Instruction Fuzzy Hash: 473305756083428FDB28CF29C4A07AEB7E2AFD5318F14891EE5DA87390DB758945CB43
                                                            Function 02CE4264 Relevance: 38.0, Strings: 22, Instructions: 10517COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: czD$+L|$5TR9$EV[7$FV[7$FV[7$Y$($Y$($e|IS$e|IS$e|IS$e|IS$m$o$p$4$H\$H\$H\$H\$H\$H\
                                                            • API String ID: 0-3063054441
                                                            • Opcode ID: df4a405bc00cba7eb77c002528131f93ff2bb4a204f9ef1e55d42b351963c21e
                                                            • Instruction ID: 65e01ecc427bb6e752d701e50ce90ff1eb59b289f3274594e9a78da28095e3b4
                                                            • Opcode Fuzzy Hash: df4a405bc00cba7eb77c002528131f93ff2bb4a204f9ef1e55d42b351963c21e
                                                            • Instruction Fuzzy Hash: F6144739E00655CFDF24CA9588A02FEBBB2AFD5314F28960AD453773A5C7344E86CB91
                                                            Function 02C90800 Relevance: 35.1, Strings: 27, Instructions: 1321COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$bcV$q"]]$r"]]$r"]]$rc7E$rc7E$rc7E$rc7E$wrL
                                                            • API String ID: 0-3344043520
                                                            • Opcode ID: 0d5807e131e01a344a60cf18aaed36a59a7cd620785dcfbda09cafffb8283e52
                                                            • Instruction ID: 57f60ba4467741305d873dc8c628023653b0991d6280e2982f40d404cb1a22fa
                                                            • Opcode Fuzzy Hash: 0d5807e131e01a344a60cf18aaed36a59a7cd620785dcfbda09cafffb8283e52
                                                            • Instruction Fuzzy Hash: C6A223347093428FDF198A28C0D93ADBBE2AFD6314F68491DD0DA873A0D7758949CB67
                                                            Function 02CA2BD8 Relevance: 27.5, Strings: 21, Instructions: 1281COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: !U7^$"U7^$"U7^$"U7^$"U7^$8k!a$8k!a$8k!a$Ednh$Sfv@$WjlM$as$dgen$o{$qfjH$vh~#$vui{$wh~#$wh~#$wh~#$x
                                                            • API String ID: 0-728382720
                                                            • Opcode ID: 24ce0d8be93bba7cf0f3e43bee83318a32f277deacd65d82b56ff8be0d32f8d3
                                                            • Instruction ID: 97968acd6a97816b3eca64994dfbf67a24d67b5492f9843888595b4983607b60
                                                            • Opcode Fuzzy Hash: 24ce0d8be93bba7cf0f3e43bee83318a32f277deacd65d82b56ff8be0d32f8d3
                                                            • Instruction Fuzzy Hash: DDB2E0706083829FDB29DB28C4F07AEB7E2ABD9308F50591EE5CA87391D7358945CB53
                                                            Function 02CAADFC Relevance: 26.9, Strings: 18, Instructions: 4380COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -?m$-?m$-?m$-?m$-?m$-?m$F'$S$\XC)$\XC)$\XC)$\XC)$\XC)$\XC)$p$t$w$|
                                                            • API String ID: 0-1179113696
                                                            • Opcode ID: d0d8a365672353f25373bb0bf9ac2e4ca8ac044702752855f23a999df69476fb
                                                            • Instruction ID: 89b00419472633a4e1a1fd91962cf557235af3b58829df97bdf4c14f12d8ea10
                                                            • Opcode Fuzzy Hash: d0d8a365672353f25373bb0bf9ac2e4ca8ac044702752855f23a999df69476fb
                                                            • Instruction Fuzzy Hash: 65830C34E4514A8BCF18CA68C9F42FDBBF2AF9921CF28818AC44677359D7318E45CB56
                                                            Function 02CE0CB2 Relevance: 25.1, Strings: 17, Instructions: 3869COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: sX$sX$sX$,Z@$-Z@$-Z@$K'.$K'.$M.l$M.l$P$`|M*$`|M*$e|IS$e|IS$r$s
                                                            • API String ID: 0-455963809
                                                            • Opcode ID: dd4024ffc7993d3699b4602be620d1719d78e9661ab7cb0aed58157cd27c45aa
                                                            • Instruction ID: ea45311b235ec5528452688d8095eb45aca59b50882a54cd93ac67ccc28c1d87
                                                            • Opcode Fuzzy Hash: dd4024ffc7993d3699b4602be620d1719d78e9661ab7cb0aed58157cd27c45aa
                                                            • Instruction Fuzzy Hash: 91635B39A04795CFDF2586A588E06FEBBB2AF92310F285649D853777E5C3340E42C792
                                                            Function 02CD92CE Relevance: 20.4, Strings: 14, Instructions: 2862COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #l,$$l,$$l,$;&(q$<&(q$<&(q$?ZaF$?ZaF$?ZaF$b$e$oX|u$oX|u$t
                                                            • API String ID: 0-1857690218
                                                            • Opcode ID: 984ed6718198828cf5143a04c423e0f4064607d81ec2c231a7279f75269d8ff2
                                                            • Instruction ID: 0b6cf45f081b8d7aead05ba52278256d19a69e6be4696a37b65a0f40c51c5f43
                                                            • Opcode Fuzzy Hash: 984ed6718198828cf5143a04c423e0f4064607d81ec2c231a7279f75269d8ff2
                                                            • Instruction Fuzzy Hash: 7433E87961C2409BD728DE15C4A123EB7E2AFD8214F28C95EE6CB87394C7798E41DB07
                                                            Function 02C96F82 Relevance: 16.9, Strings: 13, Instructions: 695COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .$0$0rH$0rH$0rH$>`Vq$>`Vq$Q$$Q$$U$r$uIo$uIo
                                                            • API String ID: 0-1235768376
                                                            • Opcode ID: 21c2855c087b00b982f7114b5fd69e81739b51f9ab96e3cb541e3c89abbe17e9
                                                            • Instruction ID: 9872a7efb900396f8cfff839eca1922826737cdda76f34ad12874f1fe9578356
                                                            • Opcode Fuzzy Hash: 21c2855c087b00b982f7114b5fd69e81739b51f9ab96e3cb541e3c89abbe17e9
                                                            • Instruction Fuzzy Hash: 8F6206719197848BD7288F29D8856BEF3E1FFD8308F159A1DE9C953231EB705A85C702
                                                            Function 02CA51A0 Relevance: 14.3, Strings: 11, Instructions: 506COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Cqgl$GfvK$Jfbl$lg$o$xWN$xWN$xjH`$zyeg$&a]$&a]
                                                            • API String ID: 0-1139171407
                                                            • Opcode ID: 7384c7830810f87eafcff00579c408c2eeb80a15e8151b7c81de365ef0e2877e
                                                            • Instruction ID: 73ea943ef550798caa329a71162dd5accd0fd97002cbc31742cdab49611e98e0
                                                            • Opcode Fuzzy Hash: 7384c7830810f87eafcff00579c408c2eeb80a15e8151b7c81de365ef0e2877e
                                                            • Instruction Fuzzy Hash: A9020565A082429FDB189A28C4F07BE7BE2AFD5358F94C91DD1D6C77A0D7358909CB03
                                                            Function 02CA92C8 Relevance: 13.0, Strings: 9, Instructions: 1711COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -?m$-?m$/$?8$?8$\XC)$\XC)$r$t
                                                            • API String ID: 0-3509243286
                                                            • Opcode ID: 6b05c7e34721423d291cc0872fbbfd499e5a54f0eb02fb4a7967137672116755
                                                            • Instruction ID: 1294f0d37bb6ec7e090717dad9daa46b20082a7966f8eb4ee3cd154d41dea7b4
                                                            • Opcode Fuzzy Hash: 6b05c7e34721423d291cc0872fbbfd499e5a54f0eb02fb4a7967137672116755
                                                            • Instruction Fuzzy Hash: B2E2C53424D7829BD6188A2885F557FBBE1AFD521CF18C94EE4CA67359DB31C84ACB03
                                                            Function 02C9A438 Relevance: 12.9, Strings: 10, Instructions: 400COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: '%G$(%G$(%G$2>A~$2>A~$2>A~$WjlM$gedh$o{$psvJ
                                                            • API String ID: 0-293614731
                                                            • Opcode ID: 1ad789a4fb2d3c7f5bb21e7b00032bd1d418a09344d359dcfd858c1eab4b33fc
                                                            • Instruction ID: cd69e07b9318d38f758e9c8df8a81e43c603ae80885b36e8c2d10981b8ed3a00
                                                            • Opcode Fuzzy Hash: 1ad789a4fb2d3c7f5bb21e7b00032bd1d418a09344d359dcfd858c1eab4b33fc
                                                            • Instruction Fuzzy Hash: 87E110702083819FDF19CF68C4D87AEBBE2AFD9208F54581EE49A83360D6328D45CB57
                                                            Function 02CB7E9C Relevance: 12.9, Strings: 8, Instructions: 2899COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 9s7*$9s7*$e#?$e#?$e#?$e#?$y$y
                                                            • API String ID: 0-3290131490
                                                            • Opcode ID: 9aac55690d94da5a7ee9f45e8952041255341217a8298488a7d6929b679cb51c
                                                            • Instruction ID: da0af74202a880a30fe54b3071ba9f9cdb961baaea5b928f60a78981d0f9c6cf
                                                            • Opcode Fuzzy Hash: 9aac55690d94da5a7ee9f45e8952041255341217a8298488a7d6929b679cb51c
                                                            • Instruction Fuzzy Hash: 92331B7561C3418BDB29DE28C4901BDBBE39FE8210F28CA4ED5CA87391C7798A45DB47
                                                            Function 02CD4582 Relevance: 12.3, Strings: 9, Instructions: 1037COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 9s7*$9s7*$;&(q$<&(q$<&(q$o$o$oX|u$oX|u
                                                            • API String ID: 0-4293757946
                                                            • Opcode ID: b6d4036c1539fc13aef5dd5cdf9f0fa90ec294faa32cf3ff92df137c22ee24a6
                                                            • Instruction ID: c6dbe6a27980e06a17982d2829a5b05f6af2f9a8ab84a766f144fe7c9ccbfe1a
                                                            • Opcode Fuzzy Hash: b6d4036c1539fc13aef5dd5cdf9f0fa90ec294faa32cf3ff92df137c22ee24a6
                                                            • Instruction Fuzzy Hash: 1D82B47921C6409BD73CDA19D4A113EB7E3AFD8214F28C91EE68B87394C7798A05DB07
                                                            Function 02C98004 Relevance: 11.9, Strings: 9, Instructions: 633COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: /$as$hbh^$kn$kn$lpvw$z$:I$:I
                                                            • API String ID: 0-2153011212
                                                            • Opcode ID: e98f9022a80af9eaca657b2b865adfe707e117b76b99587b8d69d6921d18604a
                                                            • Instruction ID: 627af7fe3786159c6fbeb375eca7475390ba5a12e559a4b28de78b9ec2c6c7f4
                                                            • Opcode Fuzzy Hash: e98f9022a80af9eaca657b2b865adfe707e117b76b99587b8d69d6921d18604a
                                                            • Instruction Fuzzy Hash: 3232E3756083409FCF18CA29C49466EBBE2AFDA708F249E1DE58AC7360D735C945CB53
                                                            Function 02C9AA30 Relevance: 11.8, Strings: 9, Instructions: 550COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ##dp$$#dp$$#dp$Vjpq$dgen$o$qfjO$t~$zn
                                                            • API String ID: 0-1032566246
                                                            • Opcode ID: 1979559c628bd858a8f64c67e9832ed63042882cf29300afca93acddecd6024d
                                                            • Instruction ID: d66f3db47073977ca1fe61deaa718f38e0d4b29fab724d6ea16a50c7e26bb49d
                                                            • Opcode Fuzzy Hash: 1979559c628bd858a8f64c67e9832ed63042882cf29300afca93acddecd6024d
                                                            • Instruction Fuzzy Hash: 6112FD756083409FCF29CE18D4D826EBBE2AFC5708F64A91EE4DA87260DB35C945CB47
                                                            Function 02CD554A Relevance: 11.1, Strings: 7, Instructions: 2345COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #Zj$#Zj$9s7*$9s7*$c$e$r
                                                            • API String ID: 0-1427222792
                                                            • Opcode ID: 03c91576a9122ad7ffc17cb0c640a22825aafc7304dd4df272683433f39c200c
                                                            • Instruction ID: 95ee8b638ead66bec3205846a837a9fbbe03062e10e40c0e54591b049873752d
                                                            • Opcode Fuzzy Hash: 03c91576a9122ad7ffc17cb0c640a22825aafc7304dd4df272683433f39c200c
                                                            • Instruction Fuzzy Hash: 441309756183018BD728CE29D4E113EBBE3AFD8254F28C94EE6CA87394C7798945CB47
                                                            Function 02C99B0A Relevance: 10.5, Strings: 8, Instructions: 521COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Ednh$Sog`$chin$hbhH$lpvw$mfov$t$wtu+
                                                            • API String ID: 0-338988566
                                                            • Opcode ID: 53145340eb0e9d0cb4014ef65314c08aa30a6a359c0d72597cfb84a1e2120347
                                                            • Instruction ID: a8169a2f1297632da5354016acbcfd0e563b1b74ef035c68b0e2d942c12a5599
                                                            • Opcode Fuzzy Hash: 53145340eb0e9d0cb4014ef65314c08aa30a6a359c0d72597cfb84a1e2120347
                                                            • Instruction Fuzzy Hash: CB1224716083408FCF19CA28C4D87AEB7E2EBD5214F64991DD4DA87390D739994ACB53
                                                            Function 02CCDACE Relevance: 9.4, Strings: 5, Instructions: 3134COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 9s7*$9s7*$;5O$<5O$<5O
                                                            • API String ID: 0-3665335344
                                                            • Opcode ID: a75c1bb4757d7be2a8ec0ed3dcf52a4b140a71f5e139727326efec0133f14992
                                                            • Instruction ID: ff70fe0068c09b5aa4d3c3f2b8d77fbf7c57f5fa8e18219f11ca2d5c89c50cdf
                                                            • Opcode Fuzzy Hash: a75c1bb4757d7be2a8ec0ed3dcf52a4b140a71f5e139727326efec0133f14992
                                                            • Instruction Fuzzy Hash: 7E43BEB5650B018BD738CF29C591666B7E2ABC8314B28C91ED5DBCBBA0D73DE940CB05
                                                            Function 02CA5A2E Relevance: 9.4, Strings: 7, Instructions: 606COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Cqgl$Wqky$iGog$lg$o$xjH`$zyeg
                                                            • API String ID: 0-3625385290
                                                            • Opcode ID: 9115ff909b713404b476728ba6feaf9ffaea220ef37842921966e46202251625
                                                            • Instruction ID: 87d0cec0fb5833ca9a62f44ca0c0e40cadf33be08099400c5bc066f02e196be7
                                                            • Opcode Fuzzy Hash: 9115ff909b713404b476728ba6feaf9ffaea220ef37842921966e46202251625
                                                            • Instruction Fuzzy Hash: A02203716082829FCB189A28C4E47BEBBD2AFD5258FA8C91DE0D6C7791D731C945CB43
                                                            Function 02C95628 Relevance: 9.2, Strings: 7, Instructions: 428COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: GjzA$b_e,$b_e,$l$mx~L$x~$zeyg
                                                            • API String ID: 0-474005058
                                                            • Opcode ID: eb2956fc5679c2223cc2e8872e9581adf7a36544356dcf2e6e457513eed2353a
                                                            • Instruction ID: c8495ebb804cc9323bb7869a471dab2d8088ed00bf2367c1e3869ceb00ef7edb
                                                            • Opcode Fuzzy Hash: eb2956fc5679c2223cc2e8872e9581adf7a36544356dcf2e6e457513eed2353a
                                                            • Instruction Fuzzy Hash: 3AF1A475608341DFDB298F28C0D476EBBE2AFC5294F94891EE48A87360D735CA45CB52
                                                            Function 02CD3468 Relevance: 8.6, Strings: 6, Instructions: 1111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: >#&[$?#&[$?#&[$?#&[$K$y
                                                            • API String ID: 0-1410873221
                                                            • Opcode ID: 9ef0cbb2acc6b0e1d42c0eacabf4cde60de6604697d01ffc873ebf372894b8df
                                                            • Instruction ID: 6d28976f03b5dd6c8eadebb114d2272a7f9e21802050d272c011e72bc9881125
                                                            • Opcode Fuzzy Hash: 9ef0cbb2acc6b0e1d42c0eacabf4cde60de6604697d01ffc873ebf372894b8df
                                                            • Instruction Fuzzy Hash: E392C8756182419BD72CCA19C4A123DBBE3AFD8214F28C99EE6CB87394C7399941DF07
                                                            Function 02C97B5E Relevance: 7.8, Strings: 6, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Cn$Rfe@$[$hhul$s$vbg}
                                                            • API String ID: 0-1287791310
                                                            • Opcode ID: 83e844509711380e83beb9528b19f45347268c3a4c12b8115ba9f6f8e22fb355
                                                            • Instruction ID: 0cec940fecc8990e1abbfe464df2a3da40564300f05d4ad323597790caf3c6cf
                                                            • Opcode Fuzzy Hash: 83e844509711380e83beb9528b19f45347268c3a4c12b8115ba9f6f8e22fb355
                                                            • Instruction Fuzzy Hash: 58C123B02193419FDB18DF28C0D4A6EFBE1ABC4704F14891EE49A877A1E7359A4DCB43
                                                            Function 02CC4C26 Relevance: 7.4, Strings: 5, Instructions: 1106COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ;&(q$<&(q$<&(q$oX|u$oX|u
                                                            • API String ID: 0-3192187857
                                                            • Opcode ID: d2d58c2bb6fc0b220c2eb84b716c7a36cf424c09f511b15953b0d4e3501853cb
                                                            • Instruction ID: 6b2f6dec655642b554eb9385b75b5deb26f5b365974ac672bf833f8421bce4e9
                                                            • Opcode Fuzzy Hash: d2d58c2bb6fc0b220c2eb84b716c7a36cf424c09f511b15953b0d4e3501853cb
                                                            • Instruction Fuzzy Hash: EE92F7B9E152058BDF3CCA99C4A11BEB7B3AFD8214F78814ED416B7384C7785A02CB56
                                                            Function 02CC4190 Relevance: 7.0, Strings: 5, Instructions: 707COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: XKH$YKH$YKH$e$o
                                                            • API String ID: 0-3464357607
                                                            • Opcode ID: 3ad9f6c0ee779e4a86966967041f757c877d99b97df4003584d6a232b6c1e02b
                                                            • Instruction ID: 7126f7c3e5c88f60bb97ed79a4d78944a23fc2c75d8d65cfa8e04c85834be04e
                                                            • Opcode Fuzzy Hash: 3ad9f6c0ee779e4a86966967041f757c877d99b97df4003584d6a232b6c1e02b
                                                            • Instruction Fuzzy Hash: 4942D2796186408BD73CDA28D4B123DB7E2AFD4214F38CA4ED5CA87394C7798A41DB07
                                                            Function 02C94FBE Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: GjzA$ik$mx~L$zeyg${
                                                            • API String ID: 0-3108313726
                                                            • Opcode ID: ce2116799922ab86948bc128d0fc09db003c234904a9a25ae817703be68de885
                                                            • Instruction ID: 38f0ea7031545baf009a006609e7478a49b40936b7d8b28925367840979e7106
                                                            • Opcode Fuzzy Hash: ce2116799922ab86948bc128d0fc09db003c234904a9a25ae817703be68de885
                                                            • Instruction Fuzzy Hash: 17F1B5706093419FCF29CB29C4E436EBBE1ABC5394FA4991EE49A97360D731C945CB83
                                                            Function 02C9FA5C Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Comv$aOgg$lg$mfof$o
                                                            • API String ID: 0-3626148033
                                                            • Opcode ID: 852af6f3ca1a4a4e78c36f08604941a1b363420a5974a47ece00859fa83f4aa6
                                                            • Instruction ID: db460fdce455382b1f994f6c06180be5ca471b15fd6d158a5ee9583629ef95d8
                                                            • Opcode Fuzzy Hash: 852af6f3ca1a4a4e78c36f08604941a1b363420a5974a47ece00859fa83f4aa6
                                                            • Instruction Fuzzy Hash: 76C100756083448FCB15CE28C5C87AEBBE2EBD5304F14C91EE09A87BA5D735D90ACB52
                                                            Function 02C9F2DA Relevance: 6.6, Strings: 5, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Comv$aOgg$lg$mfof$o
                                                            • API String ID: 0-3626148033
                                                            • Opcode ID: 7577273e1f177e89554ac4e5e77586792882d59c1c38dd3a130bd328275b9703
                                                            • Instruction ID: 0160af6893fc66fef2667743c7769838982516051166ad97462d1ae10712c9de
                                                            • Opcode Fuzzy Hash: 7577273e1f177e89554ac4e5e77586792882d59c1c38dd3a130bd328275b9703
                                                            • Instruction Fuzzy Hash: C8C1EF746083408FDB25DE28C1887AEBBE2EBD5304F54891EE089C7B65D739D94ACB52
                                                            Function 02CC5C0A Relevance: 5.8, Strings: 4, Instructions: 817COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 9s7*$9s7*$e$o
                                                            • API String ID: 0-3269116661
                                                            • Opcode ID: d2f5b2cf1f6d219942b876bbf8991e1cf14f2653ada43d2404aedbac6b0f85a1
                                                            • Instruction ID: 739d83322253b8b0dfccc15d8c6a7a71cab4251cb5b67f8f68c8e2bdb96e8a61
                                                            • Opcode Fuzzy Hash: d2f5b2cf1f6d219942b876bbf8991e1cf14f2653ada43d2404aedbac6b0f85a1
                                                            • Instruction Fuzzy Hash: EF62C2756186409BD72CCE18C6A113EB7E2AFD8214F38C94EE5CB97394CB399941DB07
                                                            Function 02D15FC4 Relevance: 5.7, Strings: 4, Instructions: 744COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: m$m$p$t
                                                            • API String ID: 0-1471349309
                                                            • Opcode ID: 2b66a5e0f7735039ec99291817da515136bf1764c25d3f5eba3b15e3ee9cc26d
                                                            • Instruction ID: 812b919ed76518a570482d4b0f4d03fb5d8085fe781ba514fb069abc30a47689
                                                            • Opcode Fuzzy Hash: 2b66a5e0f7735039ec99291817da515136bf1764c25d3f5eba3b15e3ee9cc26d
                                                            • Instruction Fuzzy Hash: EC521778E051459BCF1CCE48E4A16BDB7B6EF88204F28845ED557A7B84CB38DC41CBA2
                                                            Function 02CC7451 Relevance: 3.8, Strings: 2, Instructions: 1331COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: w$b
                                                            • API String ID: 0-560803292
                                                            • Opcode ID: e6279fa289b336d53a35c3f5fab175295e2be364f974dcceac7dcc1ac70500c0
                                                            • Instruction ID: f73fad5be3fcb8e908b43a1a7217a6aa5505fd83d8ff15980702245a2105d5ad
                                                            • Opcode Fuzzy Hash: e6279fa289b336d53a35c3f5fab175295e2be364f974dcceac7dcc1ac70500c0
                                                            • Instruction Fuzzy Hash: 66B2AEFBC6152987CF20CE8585441BEF672BBC8220B2A815ACD9637354D37D5E42DBE2
                                                            Function 02CCC8C2 Relevance: 3.7, Strings: 2, Instructions: 1185COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: e$y
                                                            • API String ID: 0-1768749287
                                                            • Opcode ID: 92257325136b9d006420fe55dd57ada5ae3c704bb35fe7e475295de423b3f1c0
                                                            • Instruction ID: 858ed25488919c95aee9739e46eb0f33e29baa042c2b0f45a99d9528bd51fbc4
                                                            • Opcode Fuzzy Hash: 92257325136b9d006420fe55dd57ada5ae3c704bb35fe7e475295de423b3f1c0
                                                            • Instruction Fuzzy Hash: 6BA2E57661C7009BD728DA19C4A112EBBE2AFD8214F38895EE4CB87394C7798E41DB47
                                                            Function 02CC75C4 Relevance: 3.6, Strings: 2, Instructions: 1142COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: w$b
                                                            • API String ID: 0-560803292
                                                            • Opcode ID: bfd00209899a0ddad38971d1d02f3b800773ae8d51719893884e2b591dbd5444
                                                            • Instruction ID: 25a3f417b1c1131d59f0e944aa9759072395ba426d49cf5a5cc758db384a7dda
                                                            • Opcode Fuzzy Hash: bfd00209899a0ddad38971d1d02f3b800773ae8d51719893884e2b591dbd5444
                                                            • Instruction Fuzzy Hash: 54A2AEF5E5460687DB2CCA45C5619BEB2B2BFC8304F24852EC04BA77A4DB7D4E01CB66
                                                            Function 02CD080A Relevance: 3.6, Strings: 2, Instructions: 1132COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: W$e
                                                            • API String ID: 0-1518507350
                                                            • Opcode ID: 47f8a80b928488bb60824ed3a2e7fa1da8954f55c1afa15ed0cd2e4dacf1b4fe
                                                            • Instruction ID: a57960a1c2af757fdaeca336f6a80acb7f4e89555e888f1213ed09c63ed0d230
                                                            • Opcode Fuzzy Hash: 47f8a80b928488bb60824ed3a2e7fa1da8954f55c1afa15ed0cd2e4dacf1b4fe
                                                            • Instruction Fuzzy Hash: C492B5757186009BD728DA69C4E123EB7E3AFD8314F2CC94EE68A87390C7798945DB07
                                                            Function 02CB6040 Relevance: .4, Instructions: 411COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a16e35be4a99b5f32f6f4a60b21ac88463a972438e959be1369b07a0d765f6f9
                                                            • Instruction ID: fd8f3bd46dbd6cb4feb60a8a7adc0ce6d31a40d96c774018451ab8c1fb272950
                                                            • Opcode Fuzzy Hash: a16e35be4a99b5f32f6f4a60b21ac88463a972438e959be1369b07a0d765f6f9
                                                            • Instruction Fuzzy Hash: 98E15DAC26C7089BD7146F95C4402BEB3E0EF84B04F14D83DEA9587750E6BDDA48878B
                                                            Function 02CED69A Relevance: .4, Instructions: 386COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f0f067c13bc652ef8fc555aefa2e67176182c6164721ee97f4bb8656db995485
                                                            • Instruction ID: c475ec7f6922b3143248fde34ba62edb5abd7e1694a523e8bcf75f16d85f6957
                                                            • Opcode Fuzzy Hash: f0f067c13bc652ef8fc555aefa2e67176182c6164721ee97f4bb8656db995485
                                                            • Instruction Fuzzy Hash: AFE1472BA097518BDB108A29C0D119FBBD59BD6630F0D8E0DE8EB273A1D3348D85C7D2
                                                            Function 02D178C9 Relevance: .1, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f39bc110cd668572dd7b3d76f19b754198566a3b3394de48982573da2b448232
                                                            • Instruction ID: dcc7e9ff8ae9d3748338b2034c28035f2a3239fcf040110bfd7bb37aa1550f0f
                                                            • Opcode Fuzzy Hash: f39bc110cd668572dd7b3d76f19b754198566a3b3394de48982573da2b448232
                                                            • Instruction Fuzzy Hash: 54517BB1A0062ADBFB18CF95D9C17AABBF0FB48314F24846AD419EB764D3749940CF90
                                                            Function 02D1BE75 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb2320b39a4adc50e664b343c1448fc8dc41cfdedc77912862ab0f8582775caa
                                                            • Instruction ID: df85cd37bc3284c55020e57aa4f518654b159288d18aef6b56d688981ff49ca4
                                                            • Opcode Fuzzy Hash: cb2320b39a4adc50e664b343c1448fc8dc41cfdedc77912862ab0f8582775caa
                                                            • Instruction Fuzzy Hash: AEE08C72915228FBCB24DB98D904D8AF3FCEB49B48F110097B611D3600C2B0DE40CBE0
                                                            Function 02C93F92 Relevance: 12.8, Strings: 10, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Hjo}ucm`MxlL`ml$L`ml$Vt3C$Vt3C$Vt3C$uc${d^p$~dil$B@k$B@k
                                                            • API String ID: 0-217409800
                                                            • Opcode ID: 6f8bb0a620c90d173c0ea4525455b950aca8aa6129803c6690eae5b21fd55ea3
                                                            • Instruction ID: 6775615dacf4ba4c1c8cf15013fb6c8a5fd2c73834f310b46ea7262a86cee933
                                                            • Opcode Fuzzy Hash: 6f8bb0a620c90d173c0ea4525455b950aca8aa6129803c6690eae5b21fd55ea3
                                                            • Instruction Fuzzy Hash: 7FA1BF742087418FCB29CE29C4D476ABBE2AFD9654F148A5EE0D6C73A0D731D949CB43
                                                            Function 02C964D4 Relevance: 11.5, Strings: 9, Instructions: 292COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Comv$Cqgd$E{kq$Tuij$aOgg$lg$o$t$znki
                                                            • API String ID: 0-2903593985
                                                            • Opcode ID: e14f38031ecacc1f79f6b3dd5692c5cb74f4e2b930b30d58803b13bcfab506bf
                                                            • Instruction ID: c74dcd24e5bd65cfc1b286817bf327ce998e2f055d521d870d892cf94e42c9a7
                                                            • Opcode Fuzzy Hash: e14f38031ecacc1f79f6b3dd5692c5cb74f4e2b930b30d58803b13bcfab506bf
                                                            • Instruction Fuzzy Hash: DCA103702082419FDF199E28C1E87AEBBDAABD5708F248D0ED0D68B3D5D635C945CB63
                                                            Function 02D192B4 Relevance: 9.2, Strings: 7, Instructions: 433COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: :$f$f$f$p$p$p
                                                            • API String ID: 0-1434680307
                                                            • Opcode ID: 5c50e860b38d7ac32e0742099d524878c0ebcee6c9da87b935e539d66db8aba4
                                                            • Instruction ID: d562b2ba72bbe85677cb56815699c2133a3c7c5fc46af8fb229210da2e7fb7d5
                                                            • Opcode Fuzzy Hash: 5c50e860b38d7ac32e0742099d524878c0ebcee6c9da87b935e539d66db8aba4
                                                            • Instruction Fuzzy Hash: 8EF18D75900158BADF288FA0E4796EDB7B6FF40B6CFA4410AE4567BB80D7344D88CB15
                                                            Function 02D15D94 Relevance: 8.9, Strings: 7, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 'rxS$(rxS$(rxS$(rxS$guSz$guSz$guSz
                                                            • API String ID: 0-2561137243
                                                            • Opcode ID: 1ea405b4820471b02627125edf37cd624862485d576d4f0fd1a23b346338de40
                                                            • Instruction ID: 30871dd0461d24bf4d35ccc929004b841f01bf45cf8c895d476f48998cf54cd6
                                                            • Opcode Fuzzy Hash: 1ea405b4820471b02627125edf37cd624862485d576d4f0fd1a23b346338de40
                                                            • Instruction Fuzzy Hash: 9731A035E1D281ABC6258A58F58492FBBE0ABD5614FA84D4FF8C5C7B01D739CC41CB92
                                                            Function 02C968AA Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Rfqp$aOgg$lg$mfov$o$znki
                                                            • API String ID: 0-1324273192
                                                            • Opcode ID: 145369b76afa001d328d726acb1febe3768dac1b4b3f556cdcdcf478edd0df36
                                                            • Instruction ID: 0f049418421bc2779d525c54d5c2a6caebc35ed75bb92bb73198566be531c89d
                                                            • Opcode Fuzzy Hash: 145369b76afa001d328d726acb1febe3768dac1b4b3f556cdcdcf478edd0df36
                                                            • Instruction Fuzzy Hash: 97E1F1342082419FDB19CA28C4E47AEBBEAEBD5704F648D1DE0D6873E0D7359949CB53
                                                            Function 02D170A5 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: dllmain_raw$dllmain_crt_dispatch
                                                            • String ID:
                                                            • API String ID: 3136044242-0
                                                            • Opcode ID: 61a3aa05fc9ef84d4c5d100fb07fd4f95c66efa3cba8e4f447e978086b732fa7
                                                            • Instruction ID: 9989c881cec5c9dc5a2f07addedc40cf9bab0d7b0309d6bf9bcbc0b18ca546af
                                                            • Opcode Fuzzy Hash: 61a3aa05fc9ef84d4c5d100fb07fd4f95c66efa3cba8e4f447e978086b732fa7
                                                            • Instruction Fuzzy Hash: 17217F72D00659BAEB219E14EC44A7FBA7AEF80794F015155F80567768D7308D82CBE0
                                                            Function 02CA62B0 Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Com~$Cqgl$m|zL$xjH`$zyeg
                                                            • API String ID: 0-786628539
                                                            • Opcode ID: 0aaf3a0f42bce2c0060d4f40388f2ebf724281dbd21a2b56d89fea3b793405b3
                                                            • Instruction ID: dfd8226c9794609ffac60260ca58ff7218d62ddcab48f63bcdefbcf0404a0474
                                                            • Opcode Fuzzy Hash: 0aaf3a0f42bce2c0060d4f40388f2ebf724281dbd21a2b56d89fea3b793405b3
                                                            • Instruction Fuzzy Hash: CBA104612092829FDF18DE2884E437DBBE69FD6618F28C91DD0DAC7794D631C90ACB53
                                                            Function 02C94350 Relevance: 6.4, Strings: 5, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: L`ml$Vt3C$Vt3C$`Mxl$m
                                                            • API String ID: 0-3979639489
                                                            • Opcode ID: bfdc79e00c1724e5519b92d4a8fe914cb7f4eb4be1f387eca89933d23bfe2dc2
                                                            • Instruction ID: f9535406f669a4ff9264512425f48110eba811e1c82009611d50149119b74776
                                                            • Opcode Fuzzy Hash: bfdc79e00c1724e5519b92d4a8fe914cb7f4eb4be1f387eca89933d23bfe2dc2
                                                            • Instruction Fuzzy Hash: 1D31E0352083409FCB29DE28E49476ABBE2BFC5619F24495ED5DAC77A0D331D905CB43
                                                            Function 02D18737 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02D18753
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02D1876C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID: Value___vcrt_
                                                            • String ID:
                                                            • API String ID: 1426506684-0
                                                            • Opcode ID: 80ea49ad04d15089600068a60a110bd7c8c20ef362dcbed451e994c79cd047ce
                                                            • Instruction ID: 5dd14b34ce9c19434682d58d42127ebf35de771c13b3b5125a9b86d3b9e13f67
                                                            • Opcode Fuzzy Hash: 80ea49ad04d15089600068a60a110bd7c8c20ef362dcbed451e994c79cd047ce
                                                            • Instruction Fuzzy Hash: EA01843221E6297EF619A7B47CC5D662B4AEF01774B21022AF618D6BE0EF615C01F5A0
                                                            Function 02D16A58 Relevance: 5.2, Strings: 4, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1784328528.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_2c90000_LDeviceDetectionHelper.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $}^A$%axz$%axz$%axz
                                                            • API String ID: 0-1492341035
                                                            • Opcode ID: 552fa3969e9e06cd1c69bdac1d7074b522e47db93f6074e378a74cda1fda82d2
                                                            • Instruction ID: 4a7a0574a67b11a3ac4fcf92edc885d96233d66c3d97d81c2015b78c7ea57405
                                                            • Opcode Fuzzy Hash: 552fa3969e9e06cd1c69bdac1d7074b522e47db93f6074e378a74cda1fda82d2
                                                            • Instruction Fuzzy Hash: 336121B460D341AFD724CE18A48462EBBF9AB88658F14891AF495C7B61D376DC84CB83