Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip

Overview

General Information

Sample name:d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip
Analysis ID:1532102
MD5:2e68d1dbedf3e80f938a305ada936c8d
SHA1:81cac25a0e566d7741961dd0f9c93bdd16c81e88
SHA256:8e36968274e6eff65a02d776953af1147ad72b682bb340457d119a5512365605
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Remcos RAT
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Loading BitLocker PowerShell Module
PE file has a writeable .text section
Sigma detected: Suspicious PowerShell Parameter Substring
Uses whoami command line tool to query computer and username
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6568 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • 7zG.exe (PID: 6028 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\" -spe -an -ai#7zMap15499:192:7zEvent20179 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • msiexec.exe (PID: 2144 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 1448 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • Coolmuster PDF Image Extractor.exe (PID: 4680 cmdline: "C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe" MD5: E11235CB041E3AE98CB17D746B45CB66)
      • WerFault.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1228 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • powershell.exe (PID: 4980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 988 cmdline: "C:\Windows\system32\cmd.exe" /c powershell -ep bypass MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6196 cmdline: powershell -ep bypass MD5: 04029E121A0CFA5991749937DD22A1D9)
        • whoami.exe (PID: 6184 cmdline: "C:\Windows\system32\whoami.exe" /all MD5: A4A6924F3EAF97981323703D38FD99C4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.1 Pro", "Host:Port:Password": "45.133.74.183:2404", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-1QFIL0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpackREMCOS_RAT_variantsunknownunknown
                • 0x5f87c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x5f7f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x5f7f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x5fce8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x5f8dc:$str_b2: Executing file:
                • 0x60604:$str_b3: GetDirectListeningPort
                • 0x5f904:$str_b9: Downloaded file:
                • 0x5f8f0:$str_b10: Downloading file:
                • 0x5f994:$str_b12: Failed to upload file:
                • 0x605cc:$str_b13: StartForward
                • 0x605ec:$str_b14: StopForward
                • 0x5f984:$str_b18: Uploaded file:
                • 0x5f944:$str_b19: Unable to delete:
                • 0x5fe21:$str_c0: [Firefox StoredLogins not found]
                • 0x5fd55:$str_c2: [Chrome StoredLogins found, cleared!]
                • 0x5fd31:$str_c3: [Chrome StoredLogins not found]
                • 0x5fe48:$str_c6: \logins.json
                • 0x5fdd1:$str_c7: [Chrome Cookies found, cleared!]
                • 0x5fe89:$str_c8: [Firefox Cookies not found]
                • 0x5fdb5:$str_c9: [Chrome Cookies not found]
                • 0x5feb9:$str_c10: [Firefox cookies found, cleared!]
                15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    Click to see the 49 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -ep bypass, CommandLine: powershell -ep bypass, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c powershell -ep bypass, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 988, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ep bypass, ProcessId: 6196, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: powershell -ep bypass, CommandLine: powershell -ep bypass, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c powershell -ep bypass, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 988, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ep bypass, ProcessId: 6196, ProcessName: powershell.exe
                    Sigma detected: Local Accounts Discovery
                    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\whoami.exe" /all, CommandLine: "C:\Windows\system32\whoami.exe" /all, CommandLine|base64offset|contains: e, Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: powershell -ep bypass, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6196, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\whoami.exe" /all, ProcessId: 6184, ProcessName: whoami.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5728, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 4980, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpackMalware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "45.133.74.183:2404", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-1QFIL0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for domain / URL
                    Source: 45.133.74.183Virustotal: Detection: 8%Perma Link
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Coolmuster PDF Image Extractor.exe PID: 4680, type: MEMORYSTR
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_6c98e2b3-3
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\license_En.txtJump to behavior
                    Source: Binary string: E:\Project\Software\Common\tags\102.libBasic-2.6\msw\2017\libBasic\Win32\Release\lib\libBasic.pdbBB%GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.View.pdb>>#GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791496099.000000006CB77000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\103.libUpdate-1.6\msw\2017\Release\libUpdate.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791049275.000000006CB3C000.00000002.00000001.01000000.00000014.sdmp
                    Source: Binary string: E:\software\Lib\common\glog-20161230\src\build\vsprojects\libglog\Release\libglog.pdb"" source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792741802.000000006CC0D000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\104.libI18n-1.3\msw\2017\I18n\Release\libI18n.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1800329373.0000000074AC6000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.View.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791496099.000000006CB77000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: E:\software\Lib\common\glog-20161230\src\build\vsprojects\libglog\Release\libglog.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792741802.000000006CC0D000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.14.dr
                    Source: Binary string: E:\Project\Software\Common\tags\17.register-1.1\msw-2017\Release\libRG.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799526500.0000000073DEB000.00000002.00000001.01000000.0000000E.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\102.libBasic-2.6\msw\2017\libBasic\Win32\Release\lib\libBasic.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799804567.00000000747F1000.00000020.00000001.01000000.0000000D.sdmp
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1798016768.0000000073CE1000.00000020.00000001.01000000.0000000C.sdmp
                    Source: Binary string: C:\PDR14_AutoBuild\LayerTemplate_9\Generic\Trunk\bin\Win32\Release\ImageUtility.pdb2 source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Win32\Release\Bin\FileProcessManager.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000000.1709763138.0000000000214000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\103.libUpdate-1.6\msw\2017\Release\libUpdate.pdb$$ source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791049275.000000006CB3C000.00000002.00000001.01000000.00000014.sdmp
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: vccorlib140.dll.14.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: vccorlib140.dll.14.dr
                    Source: Binary string: D:\DGProject\bin\Win32\Release\GuardEassosRestoreBoot.pdb source: GuardEassosRestoreBoot,1.exe.14.dr
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.Helper.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1788395528.000000006C9BC000.00000002.00000001.01000000.00000016.sdmp, Module.Helper.dll.14.dr
                    Source: Binary string: C:\PDR14_AutoBuild\LayerTemplate_9\Generic\Trunk\bin\Win32\Release\ImageUtility.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\104.libI18n-1.3\msw\2017\I18n\Release\libI18n.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1800329373.0000000074AC6000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Win32\Release\Bin\FileProcessManager.pdbJJ2 source: Coolmuster PDF Image Extractor.exe, 0000000F.00000000.1709763138.0000000000214000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\85.groceryc-1.1\msw\2017\temp\link\groceryc\Release\groceryc.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792221350.000000006CBD6000.00000002.00000001.01000000.00000011.sdmp
                    Source: Binary string: api-ms-win-core-xstate-l2-1-0.pdb source: API-MS-Win-core-xstate-l2-1-0.dll.14.dr
                    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.14.dr
                    Source: Binary string: E:\Project\Software\Common\tags\85.groceryc-1.1\msw\2017\temp\link\groceryc\Release\groceryc.pdbEE"GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792221350.000000006CBD6000.00000002.00000001.01000000.00000011.sdmp
                    Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.14.dr
                    Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.14.dr
                    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 45.133.74.183
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drString found in binary or memory: http://.css
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drString found in binary or memory: http://.jpg
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: powershell.exe, 0000001A.00000002.2542506617.00000215E47A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mf
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: libdrive.dll.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: GuardEassosRestoreBoot,1.exe.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: libdrive.dll.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719239028.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719452091.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1715211508.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikipedia
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drString found in binary or memory: http://html4/loose.dtd
                    Source: powershell.exe, 0000001A.00000002.2533794190.00000215DC78E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: 7zG.exe, 0000000B.00000003.1598075585.0000022352430000.00000004.00000800.00020000.00000000.sdmp, GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CE16D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngp4(
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://purl.oclc.org/dsdl/schematron
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0Use
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CC5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpString found in binary or memory: http://sourceware.org/pthreads-win32/DVarFileInfo$
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2468091631.00000215CDFE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CE16D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlp4(
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://www.ascc.net/xml/schematron
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://www.ascc.net/xml/schematronL
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741422053.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741207429.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTCU)
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comX
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.combli
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comd
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comde0)
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: GuardEassosRestoreBoot,1.exe.14.dr, libdrive.dll.14.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732014333.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1740687994.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753825189.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752741479.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742717841.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1731519810.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744078990.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743093534.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753427512.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1730654645.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727033049.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726821756.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727704373.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727459329.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727211944.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.00000000038A6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.00000000038A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1730654645.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.00000000038AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.00000000038AD000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.00000000038AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8z
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1740687994.00000000038AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1730654645.00000000038A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/r
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersDLr
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1731519810.00000000038A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1731519810.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1730654645.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com2
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF.Ev
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733031852.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733202327.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF8E
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732014333.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733031852.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733202327.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comased
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomo
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1750528655.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751134931.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749354729.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749814332.0000000003896000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732014333.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como.jp/
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751997246.0000000003895000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753825189.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752741479.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1750528655.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751134931.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753427512.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749354729.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751702306.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749814332.0000000003896000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoJER
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comonyaoE7
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1740687994.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741207429.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comonyd
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753825189.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752741479.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753427512.000000000389B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrita
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741422053.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741207429.000000000388F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiefdE
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744078990.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtas
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718445979.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718356419.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718250150.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718578432.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718445979.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn-u
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718578432.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718657434.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comnt
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742717841.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744078990.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743466216.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743093534.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/oE7
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmY=
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1Ei
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727033049.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726821756.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727211944.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8E
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/CE
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723912386.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/JER
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727033049.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726821756.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727211944.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723912386.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/oE7
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/vE.
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723912386.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723377149.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723455455.00000000038A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oE7
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tant
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vE.
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/yE
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743093534.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719452091.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719558546.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719239028.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719452091.0000000003897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.nethi
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726965342.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727618738.0000000000FDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deF
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726965342.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deO
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726965342.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727618738.0000000000FDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dea
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791049275.000000006CB3C000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.winimage.com/zLibDll0123456789ABCDEFuuuuuuuubtnufruuuuuuuuuuuuuuuuuu
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722369894.0000000003892000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnk
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.zlib.net/DVarFileInfo$
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CC5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1790291772.000000006CAE8000.00000008.00000001.01000000.00000017.sdmp, libcurl.dll.14.drString found in binary or memory: https://curl.se/V
                    Source: libcurl.dll.14.drString found in binary or memory: https://curl.se/docs/alt-svc.html
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1790291772.000000006CAE8000.00000008.00000001.01000000.00000017.sdmp, libcurl.dll.14.drString found in binary or memory: https://curl.se/docs/copyright.htmlD
                    Source: libcurl.dll.14.drString found in binary or memory: https://curl.se/docs/hsts.html
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drString found in binary or memory: https://curl.se/docs/http-cookies.html
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CE16D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterp4(
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CDA36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CE1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2533794190.00000215DC78E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 0000001A.00000002.2468091631.00000215CDFE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1762660383.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742260027.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745614609.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1748204827.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.isoo.com
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1779078940.000000006C219000.00000008.00000001.01000000.0000001A.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1775111836.000000006BFBF000.00000008.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.openssl.org/H
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Coolmuster PDF Image Extractor.exe PID: 4680, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Coolmuster PDF Image Extractor.exe PID: 4680, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    PE file has a writeable .text section
                    Source: ImageUtility.dll.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5f925e.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{4A194FDC-5FC7-428C-83CA-BC4A750D530B}Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9665.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5f9260.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5f9260.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\5f9260.msiJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_624868CC15_2_624868CC
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6248D2D415_2_6248D2D4
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E81A7C15_2_62E81A7C
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E83A1C15_2_62E83A1C
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E8F7E015_2_62E8F7E0
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E8179415_2_62E81794
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E87F2415_2_62E87F24
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E934C415_2_62E934C4
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E8B0B015_2_62E8B0B0
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E86D4C15_2_62E86D4C
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E89D5115_2_62E89D51
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC5C7CB15_2_6BC5C7CB
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC08FD015_2_6BC08FD0
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC2C3D015_2_6BC2C3D0
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC1C7F015_2_6BC1C7F0
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC5A78B15_2_6BC5A78B
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC37BB015_2_6BC37BB0
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC09F5015_2_6BC09F50
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC1475015_2_6BC14750
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC34F5015_2_6BC34F50
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC5E75015_2_6BC5E750
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC06F7015_2_6BC06F70
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC5BF7015_2_6BC5BF70
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1228
                    Source: Module.Helper.dll.14.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: Module.View.dll.14.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: libpng14-14.dll.14.drStatic PE information: Number of sections : 18 > 10
                    Source: libcurl.dll.14.drStatic PE information: Number of sections : 11 > 10
                    Source: libssl-1_1.dll.14.drStatic PE information: Number of sections : 11 > 10
                    Source: libxml2-2.dll.14.drStatic PE information: Number of sections : 19 > 10
                    Source: pthreadGC2.dll.14.drStatic PE information: Number of sections : 21 > 10
                    Source: libgccfree.dll.14.drStatic PE information: Number of sections : 14 > 10
                    Source: zlib1.dll.14.drStatic PE information: Number of sections : 11 > 10
                    Source: libcrypto-1_1.dll.14.drStatic PE information: Number of sections : 11 > 10
                    Source: api-ms-win-core-libraryloader-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-time-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-math-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-console-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-console-l1-2-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-process-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-string-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-string-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-file-l2-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-utility-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-louserzation-l1-2-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-util-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-private-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-processthreads-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-locale-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-conio-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-environment-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-convert-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-file-l1-2-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-file-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-memory-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-debug-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-handle-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-filesystem-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-errorhandling-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-heap-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-multibyte-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-sysinfo-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: API-MS-Win-core-xstate-l2-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-rtlsupport-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-profile-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-heap-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-processthreads-l1-1-1.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-runtime-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-datetime-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-crt-stdio-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-synch-l1-2-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-synch-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-interlocked-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-namedpipe-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-timezone-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-processenvironment-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: classification engineClassification label: mal100.troj.evad.winZIP@15/115@0/0
                    Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msiJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_762381681
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeMutant created: \Sessions\1\BaseNamedObjects\59035925
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeMutant created: \Sessions\1\BaseNamedObjects\Global_Coolmuster PDF Image Extractor_2.2.27
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF4373894EECD42FC3.TMPJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    Source: Coolmuster PDF Image Extractor.exeString found in binary or memory: set-addPolicy
                    Source: Coolmuster PDF Image Extractor.exeString found in binary or memory: id-cmc-addExtensions
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\" -spe -an -ai#7zMap15499:192:7zEvent20179
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi"
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe "C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1228
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -ep bypass
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /all
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe "C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -ep bypassJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypassJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /allJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptnet.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libbasic.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: pthreadgc2.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: zlib1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: librg.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libi18n.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libglog.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: groceryc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: module.view.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libxml2-2.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libupdate.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: module.helper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libexpat.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libcurl.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libdrive.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libcrypto-1_1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libssl-1_1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libcrypto-1_1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: quserex.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: unrar.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: imageutility.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: libjack.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeSection loaded: wshunix.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\whoami.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\whoami.exeSection loaded: authz.dllJump to behavior
                    Source: C:\Windows\System32\whoami.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\whoami.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\whoami.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files\7-Zip\7zG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zipStatic file information: File size 14664427 > 1048576
                    Source: Binary string: E:\Project\Software\Common\tags\102.libBasic-2.6\msw\2017\libBasic\Win32\Release\lib\libBasic.pdbBB%GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.View.pdb>>#GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791496099.000000006CB77000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\103.libUpdate-1.6\msw\2017\Release\libUpdate.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791049275.000000006CB3C000.00000002.00000001.01000000.00000014.sdmp
                    Source: Binary string: E:\software\Lib\common\glog-20161230\src\build\vsprojects\libglog\Release\libglog.pdb"" source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792741802.000000006CC0D000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\104.libI18n-1.3\msw\2017\I18n\Release\libI18n.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1800329373.0000000074AC6000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.View.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791496099.000000006CB77000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: E:\software\Lib\common\glog-20161230\src\build\vsprojects\libglog\Release\libglog.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792741802.000000006CC0D000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.14.dr
                    Source: Binary string: E:\Project\Software\Common\tags\17.register-1.1\msw-2017\Release\libRG.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799526500.0000000073DEB000.00000002.00000001.01000000.0000000E.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\102.libBasic-2.6\msw\2017\libBasic\Win32\Release\lib\libBasic.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799804567.00000000747F1000.00000020.00000001.01000000.0000000D.sdmp
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1798016768.0000000073CE1000.00000020.00000001.01000000.0000000C.sdmp
                    Source: Binary string: C:\PDR14_AutoBuild\LayerTemplate_9\Generic\Trunk\bin\Win32\Release\ImageUtility.pdb2 source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Win32\Release\Bin\FileProcessManager.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000000.1709763138.0000000000214000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\103.libUpdate-1.6\msw\2017\Release\libUpdate.pdb$$ source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791049275.000000006CB3C000.00000002.00000001.01000000.00000014.sdmp
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: vccorlib140.dll.14.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: vccorlib140.dll.14.dr
                    Source: Binary string: D:\DGProject\bin\Win32\Release\GuardEassosRestoreBoot.pdb source: GuardEassosRestoreBoot,1.exe.14.dr
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.Helper.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1788395528.000000006C9BC000.00000002.00000001.01000000.00000016.sdmp, Module.Helper.dll.14.dr
                    Source: Binary string: C:\PDR14_AutoBuild\LayerTemplate_9\Generic\Trunk\bin\Win32\Release\ImageUtility.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\104.libI18n-1.3\msw\2017\I18n\Release\libI18n.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1800329373.0000000074AC6000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Win32\Release\Bin\FileProcessManager.pdbJJ2 source: Coolmuster PDF Image Extractor.exe, 0000000F.00000000.1709763138.0000000000214000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: E:\Project\Software\Common\tags\85.groceryc-1.1\msw\2017\temp\link\groceryc\Release\groceryc.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792221350.000000006CBD6000.00000002.00000001.01000000.00000011.sdmp
                    Source: Binary string: api-ms-win-core-xstate-l2-1-0.pdb source: API-MS-Win-core-xstate-l2-1-0.dll.14.dr
                    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.14.dr
                    Source: Binary string: E:\Project\Software\Common\tags\85.groceryc-1.1\msw\2017\temp\link\groceryc\Release\groceryc.pdbEE"GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792221350.000000006CBD6000.00000002.00000001.01000000.00000011.sdmp
                    Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.14.dr
                    Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.14.dr
                    Source: api-ms-win-crt-math-l1-1-0.dll.14.drStatic PE information: 0xBB0CD117 [Tue Jun 11 12:29:11 2069 UTC]
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E8E0B0 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,15_2_62E8E0B0
                    Source: libBasic.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x43159
                    Source: libI18n.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x8c9e
                    Source: libglog.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x31892
                    Source: groceryc.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x5d60f
                    Source: ImageUtility.dll.14.drStatic PE information: real checksum: 0x7a6e6 should be: 0x826e6
                    Source: libIPC.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x12eb2
                    Source: Module.Helper.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x1706a
                    Source: libRG.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x14e23
                    Source: libUpdate.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x12584
                    Source: Module.View.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x433a1
                    Source: Unrar.dll.14.drStatic PE information: real checksum: 0x0 should be: 0xab3d7
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /4
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /14
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /29
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /41
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /55
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /67
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /80
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /91
                    Source: libpng14-14.dll.14.drStatic PE information: section name: /102
                    Source: zlib1.dll.14.drStatic PE information: section name: /4
                    Source: libgccfree.dll.14.drStatic PE information: section name: /4
                    Source: libgccfree.dll.14.drStatic PE information: section name: /14
                    Source: libgccfree.dll.14.drStatic PE information: section name: /29
                    Source: libgccfree.dll.14.drStatic PE information: section name: /41
                    Source: libgccfree.dll.14.drStatic PE information: section name: /55
                    Source: libcrypto-1_1.dll.14.drStatic PE information: section name: /4
                    Source: libcurl.dll.14.drStatic PE information: section name: .eh_fram
                    Source: libssl-1_1.dll.14.drStatic PE information: section name: /4
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /4
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /14
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /29
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /45
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /57
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /71
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /83
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /96
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /107
                    Source: libxml2-2.dll.14.drStatic PE information: section name: /118
                    Source: ImageUtility.dll.14.drStatic PE information: section name: .data1
                    Source: ImageUtility.dll.14.drStatic PE information: section name: .trace
                    Source: ImageUtility.dll.14.drStatic PE information: section name: _RDATA
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /4
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /14
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /29
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /45
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /61
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /73
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /87
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /99
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /112
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /123
                    Source: pthreadGC2.dll.14.drStatic PE information: section name: /134
                    Source: msvcp140.dll.14.drStatic PE information: section name: .didat
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC90 push ebx; iretd 15_3_009AAC92
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009AAC31 push ebx; ret 15_3_009AAC32
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\vcruntime140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libexpat.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\DGBCDX64.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libpng14-14.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\groceryc.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\vccorlib140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\OfflineReg.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libUpdate.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.Helper.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_codecvt_ids.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\pthreadGC2.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.View.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Unrar.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\ucrtbase.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\concrt140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libglog.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libRG.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\ImageUtility.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libcrypto-1_1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\API-MS-Win-core-xstate-l2-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libIPC.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,2.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-louserzation-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\zlib1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libdrive.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,1.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libI18n.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libssl-1_1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libxml2-2.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libcurl.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libBasic.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_atomic_wait.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libgccfree.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_2.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\license_En.txtJump to behavior

                    Boot Survival

                    barindex
                    Uses whoami command line tool to query computer and username
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /all
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /allJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_3_009FCF80 sldt word ptr [eax]15_3_009FCF80
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1262Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8616Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 974Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8829Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\DGBCDX64.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libpng14-14.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\vccorlib140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\OfflineReg.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_codecvt_ids.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\concrt140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\API-MS-Win-core-xstate-l2-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libIPC.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,2.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-louserzation-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,1.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_atomic_wait.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libgccfree.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_2.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeAPI coverage: 2.9 %
                    Source: C:\Windows\System32\msiexec.exe TID: 6812Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168Thread sleep count: 974 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108Thread sleep count: 8829 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4300Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFEC7F02BD0 GetSystemInfo,26_2_00007FFEC7F02BD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746540298.0000000000999000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1711656176.0000000000995000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW{G~
                    Source: Coolmuster PDF Image Extractor.exe, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1714864839.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1711656176.0000000000995000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746540298.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1762660383.00000000009A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1713159155.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1714864839.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1711656176.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742260027.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1762660383.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1712121777.00000000009F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Found API chain indicative of debugger detection
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_15-13975
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC52782 IsDebuggerPresent,15_2_6BC52782
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_62E8E0B0 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,15_2_62E8E0B0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\whoami.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\whoami.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\whoami.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe "C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC573DB SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_6BC573DB

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -ep bypassJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypassJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /allJump to behavior
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userbrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userbrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userbriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeCode function: 15_2_6BC56FA6 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,15_2_6BC56FA6
                    Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Coolmuster PDF Image Extractor.exe PID: 4680, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Coolmuster PDF Image Extractor.exe PID: 4680, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Replication Through Removable Media                    		2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		11
                    Masquerading                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory121
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		Logon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS141
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Rundll32                    		Cached Domain Credentials11
                    Peripheral Device Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSync2
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem115
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    File Deletion                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532102 Sample: d7816ba6ddda0c4e833d9bba858... Startdate: 12/10/2024 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 5 other signatures 2->46 8 msiexec.exe 157 117 2->8         started        11 powershell.exe 15 2->11         started        14 7zG.exe 2 2->14         started        16 2 other processes 2->16 process3 file4 32 C:\...\Coolmuster PDF Image Extractor.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->36 dropped 38 74 other files (none is malicious) 8->38 dropped 18 Coolmuster PDF Image Extractor.exe 17 8->18         started        50 Uses whoami command line tool to query computer and username 11->50 20 cmd.exe 1 11->20         started        23 conhost.exe 1 11->23         started        signatures5 process6 signatures7 25 WerFault.exe 4 18->25         started        48 Bypasses PowerShell execution policy 20->48 27 powershell.exe 9 20->27         started        process8 signatures9 52 Uses whoami command line tool to query computer and username 27->52 54 Loading BitLocker PowerShell Module 27->54 30 whoami.exe 1 27->30         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\API-MS-Win-core-xstate-l2-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\DGBCDX64.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,1.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,2.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\ImageUtility.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.Helper.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.View.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\OfflineReg.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\Unrar.dll3%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-louserzation-l1-2-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-heap-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-locale-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-math-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-multibyte-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-private-l1-1-0.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-process-l1-1-0.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-jones.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/8E0%VirustotalBrowse
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD0%VirustotalBrowse
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    45.133.74.1838%VirustotalBrowse
                    http://www.jiyu-kobo.co.jp/yE0%VirustotalBrowse
                    http://www.ascc.net/xml/schematron0%VirustotalBrowse
                    http://www.jiyu-kobo.co.jp//0%VirustotalBrowse
                    https://curl.se/docs/hsts.html0%VirustotalBrowse
                    http://www.fontbureau.com/0%VirustotalBrowse
                    http://www.ascendercorp.com/typedesigners.html0%VirustotalBrowse
                    http://www.jiyu-kobo.co.jp/Y00%VirustotalBrowse
                    http://www.ascc.net/xml/schematronL0%VirustotalBrowse
                    http://relaxng.org/ns/structure/1.0Use0%VirustotalBrowse
                    https://curl.se/docs/alt-svc.html0%VirustotalBrowse
                    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                    http://www.jiyu-kobo.co.jp/CE0%VirustotalBrowse
                    http://www.galapagosdesign.com/0%VirustotalBrowse
                    http://www.jiyu-kobo.co.jp/Y0/0%VirustotalBrowse
                    http://sourceware.org/pthreads-win32/DVarFileInfo$0%VirustotalBrowse
                    https://github.com/Pester/Pester1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.133.74.183trueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.typography.nethiCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1719239028.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719452091.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.jiyu-kobo.co.jp/8ECoolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727033049.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726821756.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727211944.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlp4(powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.fontbureau.com/designersCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.00000000038A6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTDCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpfalseunknown
                        http://www.fonts.comntCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1718578432.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718657434.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.fontbureau.comF8ECoolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733031852.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733202327.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.ascc.net/xml/schematronCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpfalseunknown
                            http://www.sajatypeworks.comCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://curl.se/docs/hsts.htmllibcurl.dll.14.drfalseunknown
                            http://www.founder.com.cn/cn/cTheCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/yECoolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                            http://geoplugin.net/json.gp/CCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com2Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1731519810.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1730654645.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.fontbureau.comoJERCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1751997246.0000000003895000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753825189.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752741479.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1750528655.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751134931.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753427512.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749354729.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751702306.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749814332.0000000003896000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.jiyu-kobo.co.jp//Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://nuget.org/nuget.exepowershell.exe, 0000001A.00000002.2468091631.00000215CE1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2533794190.00000215DC78E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727033049.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726821756.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727704373.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727459329.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727211944.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                http://www.galapagosdesign.com/DPleaseCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Y0Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                http://www.jiyu-kobo.co.jp/jp/vE.Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.fontbureau.comgritoCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1750528655.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1751134931.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749354729.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1749814332.0000000003896000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.ascendercorp.com/typedesigners.htmlCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1741422053.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741207429.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                    http://www.ascc.net/xml/schematronLCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpfalseunknown
                                    http://www.urwpp.deDPleaseCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001A.00000002.2468091631.00000215CC5E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comalsdCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.galapagosdesign.com/Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://www.fontbureau.comsiefdECoolmuster PDF Image Extractor.exe, 0000000F.00000003.1741422053.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741207429.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.carterandcone.comdCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001A.00000002.2468091631.00000215CE16D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001A.00000002.2468091631.00000215CE16D000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                          http://www.carterandcone.comXCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.carterandcone.comde0)Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://go.micropowershell.exe, 0000001A.00000002.2468091631.00000215CDA36000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://relaxng.org/ns/structure/1.0UseCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpfalseunknown
                                              https://contoso.com/Iconpowershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comcomoCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://curl.se/docs/alt-svc.htmllibcurl.dll.14.drfalseunknown
                                                https://github.com/Pester/Pesterpowershell.exe, 0000001A.00000002.2468091631.00000215CE16D000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                http://en.wCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1719239028.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719452091.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.carterandcone.comlCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/CECoolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                  http://www.zhongyicts.com.cnkCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1722369894.0000000003892000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://sourceware.org/pthreads-win32/DVarFileInfo$Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpfalseunknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1740687994.00000000038AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/Y0/Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727033049.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726821756.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1727211944.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                    http://www.carterandcone.comTCU)Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.galapagosdesign.com/oE7Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742717841.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744078990.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743466216.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743093534.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.fontbureau.comritaCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1753825189.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752741479.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753427512.000000000389B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.fontbureau.comituCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.carterandcone.combliCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/jp/oE7Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.fontbureau.comtasCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744078990.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.html8zCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.00000000038AD000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.00000000038AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.winimage.com/zLibDll0123456789ABCDEFuuuuuuuubtnufruuuuuuuuuuuuuuuuuuCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                      		unknown
                                                                      https://curl.se/VCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1790291772.000000006CAE8000.00000008.00000001.01000000.00000017.sdmp, libcurl.dll.14.drfalse
                                                                        		unknown
                                                                        http://html4/loose.dtdCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drfalse
                                                                          		unknown
                                                                          http://www.fontbureau.com/designersGCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers/?Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.founder.com.cn/cn/bTheCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.jiyu-kobo.co.jp/JERCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723912386.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers?Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://pesterbdd.com/images/Pester.pngp4(powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://contoso.com/Licensepowershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.como.jp/Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.galapagosdesign.com/staff/dennis.htmY=Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.tiro.comCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.goodfont.co.krCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://.cssCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drfalse
                                                                                    		unknown
                                                                                    http://purl.oclc.org/dsdl/schematronCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1794183255.0000000071005000.00000002.00000001.01000000.00000013.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.carterandcone.comCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.typography.netDCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.fontbureau.com/designersDLrCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.galapagosdesign.com/staff/dennis.htmCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://fontfabrik.comCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.typography.netCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1719452091.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1719558546.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.fontbureau.comasedCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1732014333.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733031852.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1733202327.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.fontbureau.comonydCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1740687994.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741207429.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.fontbureau.com/designerseCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1726298467.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726419430.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726624557.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726171400.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.fontbureau.com/designersdCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1731519810.00000000038A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://contoso.com/powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.jiyu-kobo.co.jp/oE7Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723912386.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723377149.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1723455455.00000000038A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.fonts.comCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718445979.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718356419.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718250150.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.sandoll.co.krCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.sakkal.comCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743093534.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://.jpgCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drfalse
                                                                                                          		unknown
                                                                                                          http://nuget.org/NuGet.exepowershell.exe, 0000001A.00000002.2533794190.00000215DC78E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2468091631.00000215CC8C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2533794190.00000215DC64E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.apache.org/licenses/LICENSE-2.0Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2468091631.00000215CDFE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.fontbureau.comCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1732014333.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1740687994.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1766296726.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753825189.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752741479.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1741877450.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742717841.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1731519810.0000000003896000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744078990.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1752328813.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1743093534.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1753427512.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742321757.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1730654645.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.fontbureau.comFCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1745113402.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1744555798.000000000389E000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747114045.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746372002.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745924243.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746732597.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1747508403.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://curl.se/docs/http-cookies.htmlCoolmuster PDF Image Extractor.exe, 0000000F.00000002.1789730468.000000006CA95000.00000002.00000001.01000000.00000017.sdmp, libcurl.dll.14.drfalse
                                                                                                                		unknown
                                                                                                                http://www.carterandcone.comTCCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1723119947.0000000003892000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1722822164.000000000388F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.fontbureau.com/designers/rCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1730654645.00000000038A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.urwpp.deOCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1726965342.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.fontbureau.comF.EvCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1732873365.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732215353.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732686584.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1732485898.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.fonts.comn-uCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1718578432.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1718445979.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.jiyu-kobo.co.jp/1EiCoolmuster PDF Image Extractor.exe, 0000000F.00000003.1724117095.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724384337.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724852939.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725893463.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725088113.00000000038A0000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1724648148.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725385477.000000000389B000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1725731416.0000000003897000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1726036225.0000000003897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            No contacted IP infos

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1532102
                                                                                                                            Start date and time:2024-10-12 10:25:11 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 9m 23s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:30
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:1
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.evad.winZIP@15/115@0/0
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:Failed
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .zip

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 2.16.100.168, 88.221.110.91
                                                                                                                            • Excluded domains from analysis (whitelisted): p-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, t-ring.msedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            04:26:30API Interceptor1x Sleep call for process: msiexec.exe modified
                                                                                                                            04:27:13API Interceptor129x Sleep call for process: powershell.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            No context

                                                                                                                            Domains

                                                                                                                            No context

                                                                                                                            ASNs

                                                                                                                            No context

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            C:\Users\user\AppData\Local\Programs\Network MPluginManager\API-MS-Win-core-xstate-l2-1-0.dllipNkjpa6m0.msiGet hashmaliciousDanaBotBrowse
                                                                                                                              yJYNZgoiNh.msiGet hashmaliciousDanaBot, RHADAMANTHYSBrowse
                                                                                                                                BizCloud_3.2.0.2453.msiGet hashmaliciousUnknownBrowse
                                                                                                                                  Patch_MB_5.x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    SecuriteInfo.com.Trojan.Siggen21.12106.29399.26647.exeGet hashmaliciousEICARBrowse
                                                                                                                                      SecuriteInfo.com.Trojan.Siggen21.12106.29399.26647.exeGet hashmaliciousEICARBrowse
                                                                                                                                        Patch_MB 4.6.x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          Patch MB 4.5.xx.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            Patch MB 4.5.xx.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              invoice order-876451877#..xlsbGet hashmaliciousSTRRATBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Config.Msi\5f925f.rbs

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):24735
                                                                                                                                                Entropy (8bit):5.834570647214483
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:giy6+gH4bhk9mASh6uBiN7FC1nl/SOeP5P6+gIJ+gvFf0Zec4nXuvpot+M3xpti8:gU+GmAq5aFCtlKO+9+Kuel
                                                                                                                                                MD5:D1BBDF29E19A493AA1E77FAAC12FE3A3
                                                                                                                                                SHA1:BD422A42A57A3BC6A52D84F48C3E26F2C88EC172
                                                                                                                                                SHA-256:CF9B7D382B2C77D0F815098184533E1533C365D66F9EF2EB137F101BFC2C71A2
                                                                                                                                                SHA-512:6B7AB5CC0CC7A9C53A986B3A04D3ACD4B6720CF35448E8F026389C69A43AF9D4C76D79AEA9868E3A538A392E4695FAEAE1011FA46F406BF0859038C0F769CF87
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:...@IXOS.@.....@P#LY.@.....@.....@.....@.....@.....@......&.{4A194FDC-5FC7-428C-83CA-BC4A750D530B}..Network MPluginManagerD.d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.@.....@.....@.....@........&.{29FF04AE-EC3E-484A-BDA9-9EFFD6567EDB}.....@.....@.....@.....@.......@.....@.....@.......@......Network MPluginManager......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{A208D58F-C124-FBA8-5E62-D9F309A889F7}&.{4A194FDC-5FC7-428C-83CA-BC4A750D530B}.@......&.{817A92D5-8BF7-8BB6-8915-93C4929ABC9B}&.{4A194FDC-5FC7-428C-83CA-BC4A750D530B}.@......&.{CB302EC1-B81E-4BB2-92BD-383C32ACD00C}&.{4A194FDC-5FC7-428C-83CA-BC4A750D530B}.@......&.{3EE7E081-425D-84E6-F75A-18A11BB790D1}&.{4A194FDC-5FC7-428C-83CA-BC4A750D530B}.@......&.{96349177-D0DA-00F0-7939-65ABEEA996E4}&.{4A194FDC-5FC7-428C-83CA-BC4A750D530B}.@......&.{FAC7D2BA-E292-BDC8-F585-273ABB52B7DD}&.{4A194FDC-5FC7-428C-83CA-BC4A7

                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):71954
                                                                                                                                                Entropy (8bit):7.996617769952133
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):328
                                                                                                                                                Entropy (8bit):3.124682550181748
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:kKbjptL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:jqDnLNkPlE99SNxAhUe/3
                                                                                                                                                MD5:71CEDC6B2C09639591F284A5E457EC58
                                                                                                                                                SHA1:BCC07815C4E25C4756CFB26C498671CFF63A1626
                                                                                                                                                SHA-256:DF7447603E04E45A237C67C61D0F0AF60B979B5DA3E8EF7090665D45EF8FE86B
                                                                                                                                                SHA-512:23DBCD4402063A50F5DDAEFBCCF01AA557C7CAF65F11CD97B814E04961B7E08511F5D4DAE4E62611CF301E2CBF968C7342D4098B3163077ACBB4B0CD0403DB4F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:p...... .........("p....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):61426
                                                                                                                                                Entropy (8bit):5.079136231842621
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:eA1+z307j1HCbjjL4tvR4h4iUxqaVLflJnPvlOSHkqdx7YWfSb7OdBYNPzqtAHki:t1+z30n1HCbjjL4tvR4qiUqaVLflJnP8
                                                                                                                                                MD5:145354247C07AB771EA27AC53A6296E0
                                                                                                                                                SHA1:4E3FE419F36A8A60B39FE6C155CE94DF0FB1278F
                                                                                                                                                SHA-256:7D4EDD447B50022FB7378A9959321F30CF55EF906C3CBE736282EF4D0361CC1E
                                                                                                                                                SHA-512:FA8B4675BA97018FC27EE28C52F17581C46DDE241BBE3483E20AF073345E9132595586AD67BE3BC319410281125B8E5185546B70D97DAD41B64C4F6D4A623F67
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PSMODULECACHE.]...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\API-MS-Win-core-xstate-l2-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.085606848100013
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:m1f5buWfhW4240V2sms/nGfegw6cunYqnajjhEzFWWFYg7VWQ4mWDdncunYqnaj7:m1f5buWfhWRLm0GfjulJgDqulJ5
                                                                                                                                                MD5:E536B81CF7C6A943D7178D763C613172
                                                                                                                                                SHA1:4F67AD45DF5E8CC5E9F82F6BD5B4A2AE798C82AC
                                                                                                                                                SHA-256:E3651CBD3A91B742D662DC11A9D9A6B4E03C652B8B694D90298D38D446885039
                                                                                                                                                SHA-512:6D70FFB621EE8A6D77A409FDD5D7691090567888253D6B18F256D6F35D1EAC52D72921C9ACFF32B5C5B246D2145101BD037B42180B565F728DC989C93A32B7A5
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: ipNkjpa6m0.msi, Detection: malicious, Browse
                                                                                                                                                • Filename: yJYNZgoiNh.msi, Detection: malicious, Browse
                                                                                                                                                • Filename: BizCloud_3.2.0.2453.msi, Detection: malicious, Browse
                                                                                                                                                • Filename: Patch_MB_5.x.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: SecuriteInfo.com.Trojan.Siggen21.12106.29399.26647.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: SecuriteInfo.com.Trojan.Siggen21.12106.29399.26647.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: Patch_MB 4.6.x.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: Patch MB 4.5.xx.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: Patch MB 4.5.xx.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: invoice order-876451877#..xlsb, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L..................!......................... ...............................0.......R....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@................:...T...T...................d.......................................RSDSB..SF.Lz@..'.o.....api-ms-win-core-xstate-l2-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................d...............(...@...X...............)...X.......................D...u...............api-ms-win-core-xstate-l2-1-0.dll.CopyContext.kernel32.CopyContext.GetEnabledXStateFeatures.kernel32.GetEnabledXStateFeatures.GetXSt

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\Containers\Temp.wav

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3075244
                                                                                                                                                Entropy (8bit):7.900288938567287
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:VOf953zERCGq23sy/Vua08ADdPbsejOQGBGMT7bQsZPCMJbLePW7pURAGQeSy:VOHwRV5/MeADdPbsejOQGBz/bQsZhBCH
                                                                                                                                                MD5:B2BEE4CA7C5919A4DCD783301AAB69F1
                                                                                                                                                SHA1:E408168D5A3F7DA81A3B3A235A0D9F25976A7FE3
                                                                                                                                                SHA-256:AE6688F5CBD92C00035CC9858743C11326A3024C5B733D3795FA052E15F1474B
                                                                                                                                                SHA-512:CA4589482A2A5CD64525E7AB30DC6E21A7448D176F311E9F9874BDD3054E101C51D210E96D7CAEEDF07848823A1BB1ACEA9EB3A787901D3281C2F38E59E5F493
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:RIFF....WAVEfmt ........D....X........fact.....u..data......:.&.......B.P.^...T.....,.......L.......2...2.D...n...........*.......>.....p.l.n........"N.T....$."......(..(./.#..d.. .4.A4A.-x.0 .6.N.P46J!. $'.4.=.?.@H8.#..... .).'.%.#......@...........0..<................T.N.~.p...v..b...D....x....X......D.t...j.v.@.l.....h.....D.p.j..;.h....|l\P.D.L.W~T>GV/..0..p..|...j.h......F.QhE.+..v.~...:.0......<.b.R......X...*....F.........8....~.n.....h...z.(.L........F.h.v.T.(.............x..............b... ...p.........|.....b".).*@(x.....h.....d....".%f....*X*."H.....&../.;.>x<.0.(2(./.A.QX[.T.C.D$T&Z.Z.R.F.A.KpR<R.O.<z........".#.#:". ......... ...r.......|.Z.....p.........~...........F.X.~.p.r....". j.....<.........H0.8.F$D.,L........$.4.H.V.[.U.J.J.T._.qDy.|.."}.n.k.t.~....\|.ovg.h.w..........................................N{.q.q.@.../....h....... .v...........|.....:...........B..B..\.(.Z.l....@...t..z...>....6.J...T.p......4..".....x...b........>.....

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):621968
                                                                                                                                                Entropy (8bit):6.698454100636752
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:DzrTKXAoDYZJpTtIhjYvUJppHDpHHB1yWVGZbp+fb03dD1/P0VbRTbEaT:DzfbRU/kZbp+fb03d1/P0VbRTbEaT
                                                                                                                                                MD5:E11235CB041E3AE98CB17D746B45CB66
                                                                                                                                                SHA1:FCAA4FEAB36F28BD38E71EE762CC499F731D3D47
                                                                                                                                                SHA-256:C7030FB23FD25FC99C39457618A3AFD2B27B381D7B833D4662995493D85DEAF4
                                                                                                                                                SHA-512:08DA0141966050864A404C413F51FADA820489872DA15DDFF1EF8273211DEAB106BF912105076F24E801B88276DB772CB8F8F15201B83EF35E069D0A4DE63DB4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........}F...(H..(H..(H.d.H..(H=..H..(H.t,I..(H.t+I..(H.t)I..(H.t-I..(H.z,I..(H.u)I..(H.z/I..(H...H..(H.z)I..(H.u)I..(H..)H(.(H.u-I..(H.u.H..(H...H..(H.u*I..(HRich..(H........PE..L...=.Df.................,...*......b........@....@.................................{.....@.............................................X|...........T...)... ...P..@...T...................8...........@............@...............................text....*.......,.................. ..`.rdata.../...@...0...0..............@..@.data....)...p...$...`..............@....rsrc...X|.......~..................@..@.reloc...P... ...R..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\DGBCDX64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):130672
                                                                                                                                                Entropy (8bit):5.832783895432856
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:NrVeqBZ4NgTMAsEuA9jHu/eCa4vr2rYBQ8U5:xV9ThsjAjO/zfy8U5
                                                                                                                                                MD5:0C1B888271CFE5A115BDEE38ABE565FF
                                                                                                                                                SHA1:129A1D687303C47DD48EDED2F26B3C8FD90DE0A5
                                                                                                                                                SHA-256:D4FB4BC930CA45AC352B9D927C23BF18B88EE0593D4541B2B2316FC364BA84D2
                                                                                                                                                SHA-512:63FA26C1BF97745548FD6DF4B6464D7F07FF65BC210A2DF0D33907095CA9279642A09CE4D7946AE656926020624F991E16F5D5382BBE38170933C93605221430
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J....p...p...p..H!4.$p..H!5.}p..H!...p......p......p...p..op....0..p..."...p...pB..p.......p..Rich.p..........PE..d.....w]..........".................D8.........@.............................0......x.....`.................................................<t..d........C......d.......p.... ......@...8...........................`f..p............................................text...Z........................... ..`.rdata..~}.......~..................@..@.data....=...........p..............@....pdata..d...........................@..@.rsrc....C.......D..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\Error.raw

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):494567
                                                                                                                                                Entropy (8bit):7.999240234644863
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:12288:QWZVF54UGpTMM3LU+30j52hpQVeh1gPQvbCb7XAO:QP3t1bl7hpQVeYXD9
                                                                                                                                                MD5:1CC5EF6614632B8D91BEBF248C891C25
                                                                                                                                                SHA1:1B60F75EBE6D03D3D589A15758AB5AA7F430C1B0
                                                                                                                                                SHA-256:05D59EB6A94E12226DC71D0B3700A69318066841485BCDC92879967DB7D7D2F8
                                                                                                                                                SHA-512:D4A333413AD69813B5FBE3FA3270E9156CEA5A01F84C98B2CAD8546CEB19631281EE643C67A7A11EFDF1D24D1132E806365E3C83B0968099FF301EFF59249752
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:...t.)......&...k.................................1012546698.?=<>/! #qPTWI[\wiAEJ@%~70VTWVXX[Z.Y_^@HCBEppp...}uHONqqsru.rvyysz}|JGQSV[WQbfihjjml.k...............s.........................S........................!.......................$................................................................=7;.....97699;:=.:>!!+"%$NH]MYDL@!.QPRRUT.SYXZR]\_jrspssu~IIHKKMLO.tpss}twv........q`cbddgf.mkjjdon.................t..................................................................`................R..................q.f.u.3.D.o.o.q.n.g.p.Z.{.k.z.k1'325!769.=:=>.>! ."U$U&F(L*_,N.<P7R4T#V8X~Z.\*^2@,B+D"F=H.J9L.N.p.rmtwvyx{z.y.~a`cbe}gfipkjm.jn.................................................<................................................o......................b{e xs$&w,ccwxjlqurg`<~c>z......10.7546.98;.E.^...aC.@....M..J..cgc..deejok;.i.nv..wrZGFIPKJM.JNqqQrut#:+..=+..3 '.8.(.(,P.\.&6....................................................................G........

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,1.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):126952
                                                                                                                                                Entropy (8bit):6.632324580745744
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:f4wPWzrQk7CkierAkEpZBZIllqOER4xZox077aOeN8Lqce:fzWzN3rCnvIa4bBq
                                                                                                                                                MD5:3ED90B50815573A97860642BB2D84AD4
                                                                                                                                                SHA1:7A72EDCA22A6512AA73CC59132FC0B9CDEF20EF4
                                                                                                                                                SHA-256:DDE5264CCEDCB74AC3A925E7FC8C31CF5474906F6FC3D720960A0BBCEEEEADC5
                                                                                                                                                SHA-512:B92FBE15D870EE4B3C8A8727D380A7AD110BBE4665C533580E2563BA00D11C7D67D780FF1F85A37CD5886757B87BB062CA1587046102CFDE97C3A5DB30D049B7
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............[...[...[...Z...[...ZW..[...Z...[...Z...[...Z...[...Z...[...Z...[...[...[y..Z...[y.)[...[y..Z...[Rich...[................PE..L......f.................0...........+.......@....@..................................k....@....................................P........................)..............p...............................@............@...............................text............0.................. ..`.rdata...r...@...t...4..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,2.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):147944
                                                                                                                                                Entropy (8bit):6.314774596262296
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:G9vgak1Gld5JL4lJGkdVVqWer22YCvAs23xuw:gcKnh4lJGkBqW9Nn1
                                                                                                                                                MD5:77CDFEE8DA42F70094F4978CCA0673AE
                                                                                                                                                SHA1:704536E9664EB523AA364D0A6E06EE12A23151E0
                                                                                                                                                SHA-256:9CFAD518C853BF3025B3EA9FD4004653E7B212CAD05581AC0BA8027A42A5C284
                                                                                                                                                SHA-512:A1F4FD74324517673A5F6E3C9BC27B95E23F02BB3F22B5770958F2F703719562D8071A64072EB9E7A823277176C50D1E87A3C855B1B2C7B4938B69C8F56DCF70
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..^<@.^<@.^<@.;ZD.T<@.;ZC.[<@.;ZE..<@..TD.L<@..TC.V<@..TE.s<@.;ZA.Y<@.^<A.-<@..UI._<@..U.._<@..UB._<@.Rich^<@.........................PE..d......f.........."......:.........../.........@.............................`......;S....`.....................................................P....@....... ..@........)...P..@.......p.......................(....................P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...............................@....pdata..@.... ......................@..@.rsrc........@......................@..@.reloc..@....P......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\ImageUtility.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):496424
                                                                                                                                                Entropy (8bit):6.647902297128089
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:hCuq54ShaC4AlAgp4caCdub7bgmKao4axo6Ys:3q54Sh5Gg+3Cdcbgnl4axX7
                                                                                                                                                MD5:B3DD45104AD801BC9186C2BF5C44BEAF
                                                                                                                                                SHA1:6849399A9910412F4726779188DD855E17B786D3
                                                                                                                                                SHA-256:1E1526E44F06F2D3F2518E4F81F3AE08ECEB48A8C5FB361F9EB4489798BD62A0
                                                                                                                                                SHA-512:A0A1E645EF27317E692EA99124DCFD426907CED0918C0E6576F5A90594FD0DF2EC338805981A972E533EA20C4D893E3A8420DDC9665A18298580F5E5E21029B9
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pE.....................2.......2.......2............................%.......%.......%.......Rich............................PE..L....!.T...........!.........~......q$...................................................@.............................q.......d....`...............`..(3...p...&......8...............................@...............`............................text............................... ....rdata..Q...........................@..@.data....=....... ..................@....data1..@....0......................@....trace..P....@......................@..@_RDATA..@....P......................@..@.rsrc........`.......$..............@..@.reloc...6...p...8...(..............@..B................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.Helper.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):64512
                                                                                                                                                Entropy (8bit):6.350855759703589
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:xH7VU7vXs2xOu6zODuRcmk8Fzzm+tWBsXYp3X:17+X9B6zZjm+oBsXYp3
                                                                                                                                                MD5:500296C19761254E94039C5E947FD4C1
                                                                                                                                                SHA1:75BD8B2F53C7AF89EACD8F82561345DE7F903FEA
                                                                                                                                                SHA-256:CCAF204AF80F66A2254CFC8D37B4665FD158CA51AC60FEBEF89AF3683F2A65F5
                                                                                                                                                SHA-512:341A227809F788F5905D90297743130D616F98BF93E50B53E27953A0227B20929146AF50BB3AFAED227356C1F55CAC381F9CF8C15F35849DBC4A9AD01F11753E
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~:.:[..:[..:[..3#/.0[..h3..>[....{.;[..h3..([..h3..0[..h3..9[.._=..<[...2..9[..:[...[...2..9[...2..;[...2C.;[..:[+.;[...2..;[..Rich:[..........PE..L.....Df...........!.........T...............................................0............@.............................L...\................................ ......P...p...............................@............................................text............................... ..`.rdata.."6.......8..................@..@.data...............................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.View.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):217088
                                                                                                                                                Entropy (8bit):6.519727832141029
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:0/pTVwO89zhz+gnIVN+FwZKUtnavP0oD2d6zf9ufJlRHjhsgesF7KiBveM6P8:2TKFleSKKunavPbD2d6MDve2PBveM6E
                                                                                                                                                MD5:74BC438E41C723C1389EE2484E0359C7
                                                                                                                                                SHA1:927BB7BCB50965A896757A28744887EADE204337
                                                                                                                                                SHA-256:6B1002B04D0334D6AFCF28147918DF5F284C016DA605BDC36F4F2C5806950316
                                                                                                                                                SHA-512:55D03871B1FC7AFA9D35DF978ED968BE603B10754B43F3E4AA8CF89B989549E7114F183CAD10B242E3AB27F85F10B8CD91207364F170C02CC8E94D24C6E6CAAB
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.....}...}...}.......}.Y.|...}.Y.y...}.Y.~...}.Y.x...}.n.z...}.n.|...}...|...}...|.2.}...t...}...}...}.......}.......}.......}.Rich..}.........PE..L...o.Df...........!.....\...........M.......p............................................@..............................>..x...@....P.......................`..h .. ...p...............................@............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...8!... ......................@....rsrc........P.......(..............@..@.reloc..h ...`..."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\OfflineReg.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2121288
                                                                                                                                                Entropy (8bit):6.601907228743163
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:uilRC5YjsY7zqjgLVsXHQUZ0HwyZ/ZIAOp:uilRCG7GjgLVsXHQU2HwyZB6
                                                                                                                                                MD5:574888928C465B73237B6B6C5A7AE336
                                                                                                                                                SHA1:FB7162078BDE290A7275CC53062A4C85417501BF
                                                                                                                                                SHA-256:392A3E1C781269BBF10F0B3FB9C6380CED6FE3605B201B8D1A34C2AEADE42228
                                                                                                                                                SHA-512:E127349B16667B237EBD3B5A9BF62B33A8C873E64F49D2BE7A12349C8584CD02A347C279EF16CDC9784AE00876424920F4896379A770052ACFB77A45487266B8
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......../..N..N..N.:.!..N.:.#.#N.:."..N..6T..N..6S..N..&..N..&..N..&..O..6C..N..N..M.+'..N.+'/..N..NG..N.+'..N.Rich.N.........................PE..L......f............................Br....... ....@...........................!.....@. ...@.................................l...h.......0............< .H"...........|......................@}.......|..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...l....@...V...&..............@....rsrc...0............|..............@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\Support\Client.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):494650
                                                                                                                                                Entropy (8bit):7.999240700957889
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:12288:pWZVF54UGpTMM3LU+30j52hpQVeh1gPQvbCb7XAf:pP3t1bl7hpQVeYXDe
                                                                                                                                                MD5:D3D2CFFF5C3134B99F4F45D2689E5E40
                                                                                                                                                SHA1:D47E48963833FAEDFE17F27C7884B5AC7B9BEE48
                                                                                                                                                SHA-256:5314DDDDC20E4F3B6F76E313E666AC7F1CB002068C00251EC0E569B0B8A79988
                                                                                                                                                SHA-512:416B4F41FBD35083D735E51F6EF7E21C64F3BE6C0FB9CF9A803BF51DA0FD26D2F15E975301415E1978A1D1AE5431B19C921094B1529A8A3B7A3F8727B6C55EB4
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: .f.@....(g...x4.#..................................1012546698.?=<>/! #qPTWI[\wiAEJ@%~70VTWVXX[Z.Y_^@HCBEppp...}uHONqqsru.rvyysz}|JGQSV[WQbfihjjml.k...............s.........................S........................!.......................$................................................................=7;.....97699;:=.:>!!+"%$NH]MYDL@!.QPRRUT.SYXZR]\_jrspssu~IIHKKMLO.tpss}twv........q`cbddgf.mkjjdon.................t..................................................................`................R..................q.f.u.3.D.o.o.q.n.g.p.Z.{.k.z.k1'325!769.=:=>.>! ."U$U&F(L*_,N.<P7R4T#V8X~Z.\*^2@,B+D"F=H.J9L.N.p.rmtwvyx{z.y.~a`cbe}gfipkjm.jn.................................................<................................................o......................b{e xs$&w,ccwxjlqurg`<~c>z......10.7546.98;.E.^...aC.@....M..J..cgc..deejok;.i.nv..wrZGFIPKJM.JNqqQrut#:+..=+..3 '.8.(.(,P.\.&6....................................................................G........

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\Unrar.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):662528
                                                                                                                                                Entropy (8bit):6.672080711998712
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:nx8OpKk5hQ+Q0rw1WsNqLO1aZXWSgFL+6KUqWjMFsuvmIn:nHphQQq1UXWSgh+6SWksuvmo
                                                                                                                                                MD5:2F1C4F707F985EBF08D469E2BCCEF1B9
                                                                                                                                                SHA1:B5A4ABBCEEF05DAE8AC53772F7F2237A7B0E2E7A
                                                                                                                                                SHA-256:0982B342033C4715024D6BAF4C9B8EC11354E68913684E9DDD1B9730DBF3693D
                                                                                                                                                SHA-512:6CBA2EF7F30A311FAF87DAB40C81824369BACC423A20351B03B23B9A6300606BB6B9758CE9DE98F492DCCACB3053D6948F60CC73F762E6CF9BE479E8C8411D15
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........g..s..s..s......s.......s......s..f...s..f...s..f....s.....s.....s..V...s......s..s...s.....s.....s.....s.....s..Rich.s..................PE..L....4.f...........!...(.....>...............................................`............@.........................p...X.......P.......0.................... ..8>......8...........................P...@............................................text............................... ..`.rdata..............................@..@.data...4$..........................@....rsrc...0...........................@..@.reloc..8>... ...@..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20520
                                                                                                                                                Entropy (8bit):7.06137026580752
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mlWfhWIELm0Gfk08xlZWWkiJ34Wpo1MgKlx+YUt:h2RXgidvg86
                                                                                                                                                MD5:A47A7084D4ED2FB6B9181075F91729A0
                                                                                                                                                SHA1:B58E9474A3E7FF023C3A181A3912E7884E8E1A7D
                                                                                                                                                SHA-256:9490C5938112242CADC2C676F82B60FDCC7E5F56CAA7AA2D2BA3A6ED358683D4
                                                                                                                                                SHA-512:0B5FE71B2E3CD7FFD836A0BF49F44818A59CA3CDB1934C6402DAC1CB132AAEA0B540624537F2C2B1E99922E551990D7B27F29F9B9A87E6E1CE5D4F6BA7E7D63B
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.....R............!......................... ...............................0......XU....@.............................+............ ..................(D..............T............................................................................text...+........................... ..`.rsrc........ ......................@..@......R.........;...T...T.........R.........d.................R.....................RSDSy...xy.8.RI.......api-ms-win-core-console-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......+....edata... ..`....rsrc$01....` .......rsrc$02......................R.....................(...`...............,...W...................G...o...............................D...s...............5...b...............................................api-ms-win-core-console-l1-1-0.dll.AllocConsole.kern

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-2-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20096
                                                                                                                                                Entropy (8bit):7.072475082552088
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:miAWfhW4v40V2sms/nGfegUjYrUtpwBqnajro5l8WWFYg7VWQ4mWkYwUtpwBqna8:mbWfhWELm0GfqYOql45SQql4P
                                                                                                                                                MD5:9B630E1445F1E687284077EECD999B03
                                                                                                                                                SHA1:88B8DA8B1FBAF0B91699E2A0BA212C5E8ADC6E5D
                                                                                                                                                SHA-256:EFD664C9F87B370A530CEA5FCAEC3D248F5C9D79E749862B3EB63448292AB20F
                                                                                                                                                SHA-512:32AE20BFD579B8BACBDF3CC6A7250662DCCA5F2CC24F36E7034384CE2E3CC6E61F7CD7A5B54865FFA4CCD2BBE61D5BC9C5C9894ECB4981C410B66B19A485D1DF
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...g..............!......................... ...............................0......L*....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@....g...........;...T...T.......g...........d...............g.......................RSDSi?...e.t[l.W.Y.....api-ms-win-core-console-l1-2-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................g.......................(...l...........&...I...k...................[...................,...Z...................=...^...................I...v...................K...r.........................................api-ms-win-core-consol

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.060957959205541
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:m1WfhW4yI40V2sms/nGfegrlwcunYqnajjhEiDTWWFYg7VWQ4mWlhQzcunYqnajj:m1WfhWtWLm0GfveulJRxulJTN
                                                                                                                                                MD5:72F8626388893A536D0EE370ACC9E456
                                                                                                                                                SHA1:66CF9103FD285FC34FF018EEF98C3BEF0FDCBA96
                                                                                                                                                SHA-256:5C9D7085295DAE9A9B2D3A9C66D99D0061D0BA14F218B95E95E8B01BB7204C87
                                                                                                                                                SHA-512:7253B85867977CB8823BBFF120F2FBDFF2D499862A58B6B7D8BDE083E7E07260294411EBF84CAE4CE98963501D5CE7656F00DD0249FEF7413CAD727697E75477
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.....1............!......................... ...............................0.......Q....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@......1.........<...T...T.........1.........d.................1.....................RSDS..gi...R....7.....api-ms-win-core-datetime-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................1.....P...............(...8...H...................t.......................api-ms-win-core-datetime-l1-1-0.dll.GetDateFormatA.kernel32.GetDateFormatA.GetDateFormatW.kernel32.GetDateFormatW.GetTimeFormatA.kernel32.GetTimeFormatA

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.066820867427729
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mIWfhW4x40V2sms/nGfegckcinEqnajxBYBE2WWFYg7VWQ4mWwG9j1inEqnajxB9:mIWfhW2Lm0Gf3dElDgEWwVgElDuE
                                                                                                                                                MD5:5BF7AAFD1E8AB7B806DBA539A0B33474
                                                                                                                                                SHA1:53A476277856DE2EF21DB9A4F56930F77E69D45F
                                                                                                                                                SHA-256:D9100E99B2B915623294E18377D162AFE9FD354BF0C4A7208F1270721714A553
                                                                                                                                                SHA-512:369733AA72D84579C17DE3094B5396FF9C760B84F161B36BE814512A7DD10C61DDB63BBF889FCF6875311A665EFB545D8DA4E08FC232030CBD3CF4B607DA45C6
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L..................!......................... ...............................0......L.....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@................9...T...T...................d.......................................RSDS....F.B..s.Lz.....api-ms-win-core-debug-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................P...............(...8...H...|...............q.......................api-ms-win-core-debug-l1-1-0.dll.DebugBreak.kernel32.DebugBreak.IsDebuggerPresent.kernel32.IsDebuggerPresent.OutputDebugStringA.kernel32.OutputDebugStri

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.094726120204144
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mVDmxD37WfhW45V40V2sms/nGfegVUinEqnajxBPFWWFYg7VWQ4mWNyinEqnajxj:mVDoWfhW8Lm0Gf3ElDPDOElDh
                                                                                                                                                MD5:A960E117840ACB5FF1D2DCFBBE574E21
                                                                                                                                                SHA1:46747EE4F408E063CF88C86A685412C08AE78473
                                                                                                                                                SHA-256:5695695176A80A3E7F9EAC80BB3D92DF1A5592BE42B939B14087A3A6AE6EFADF
                                                                                                                                                SHA-512:5BFBB2E49C9825B31A5D63E09E58DC7E05D8B5E49530753B879971531A398EC46F7A0FE3EF5EF605F396F7440A650E26BF2B6D933324C95410608FF48D13F3B9
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...l.$............!......................... ...............................0............@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@....l.$.........A...T...T.......l.$.........d...............l.$.....................RSDS`.FG.1.K.y..t.x....api-ms-win-core-errorhandling-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............l.$.....n...............(...D...`...................4...f.......................'...J.....................api-ms-win-core-errorhandling-l1-1-0.dll.GetErrorMode.kernel32.GetErrorMode.GetLastError.kernel32.GetLastError.RaiseExcept

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23168
                                                                                                                                                Entropy (8bit):6.993314088927404
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mD6PvVXzWfhWiLm0Gfiolp6SyqWolpqgL:DPvVXQDRhe
                                                                                                                                                MD5:50FEE042CEE2A4AABA502D2F5087AE70
                                                                                                                                                SHA1:347C3A75D19B784223296F19DA64ADED95056C3A
                                                                                                                                                SHA-256:656D1B11A6242142B9B289445FBE7617AD9B5F6FCF47AD6983FF09194C867BBC
                                                                                                                                                SHA-512:D2E4F9F13996A6D11CAD2F5C2DB74A155CC86DB70820B33EC2CFE86882955AB96F79FDE57901B3880D74775700C3BCABFF7B270207A57959F948FA3E50E188D5
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....VSs...........!.........................0...............................@............@..........................................0...................B..............T............................................................................text............................... ..`.rsrc........0......................@..@.....VSs........8...T...T........VSs........d................VSs....................RSDS..T....x .c.fDlB....api-ms-win-core-file-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.........VSs............K...K.......D...p...6...`.......................?...l...............A...................6..._...................;...e............... ...I...n...............-...d...................*...g...............*...U...................M...

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.075510972902119
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mDWfhW4R40V2sms/nGfeghJUtpwBqnajrozQWWFYg7VWQ4mWQiUtpwBqnajro0J:mDWfhWqLm0Gfmql4E1ql4Y
                                                                                                                                                MD5:045E4617B49E817007D8A88652AF7734
                                                                                                                                                SHA1:305026109A1EABF49BF7AE6A233A4A11E2A22580
                                                                                                                                                SHA-256:FD387D4E358E3755DB38A618066FB72CD03B17B54D058DBE3DAB82065519EDC7
                                                                                                                                                SHA-512:7E21CF4982CE6F4AA52F0281EAE101287A850152C70577B456876356201E12983C9D211D04E05D2C81F80A56BC11AB54EAEFA7E492E3910AF21AF14FF10962CC
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....lC............!......................... ...............................0.......r....@.............................L............ ...................B..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@.....lC.........8...T...T........lC.........d................lC.....................RSDS..T..t..*..].".....api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02.........lC.....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.12851056880766
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:m/ZsWfhW4H40V2sms/nGfeg68cinEqnajxBvxWWFYg7VWQ4mWOHRinEqnajxB5pW:mGWfhWULm0GfBdElDnFcElD5c
                                                                                                                                                MD5:ADFC5BEBC4A2C52023F47A1E548B0CC9
                                                                                                                                                SHA1:A2562EF8534B1448409ADFA6C5D7E283AD005A70
                                                                                                                                                SHA-256:7DE5743F68D9BD6CFF0FB8021C22D4069E2E993D97735DB0EF65756FF915F39C
                                                                                                                                                SHA-512:89665104BD17F9020A871215F03ACD40294302E933E503AD22B208EC7C96DDDCF5F7B1AE1AA2C3D83FBD608D525D36FF2F7EE86762E44E441153124DA352A278
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.................!......................... ...............................0.......n....@.......................................... ...................B..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@...............8...T...T..................d......................................RSDSD..H]F..$.JN..=....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.077995491632721
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mrWfhW4J40V2sms/nGfeguf60dUtpwBqnajrorWWFYg7VWQ4mWXS7UtpwBqnajr8:mrWfhWyLm0Gf90Yql4ZQql43
                                                                                                                                                MD5:1F6A4F144E52A23767CC74FE2F796FF0
                                                                                                                                                SHA1:646F55FCF4CC0654F9E01E66FB20E463C1AC9C86
                                                                                                                                                SHA-256:634924290057AE9C0E4599D2C70656916BE24BD594AB1904C0BE7A8EA91DDC7C
                                                                                                                                                SHA-512:0E52078AD12BC9BF1D74D5EC98A547CF3DB508532098BFEFB8BBBA8F4F7305BAE2365DAC50E9C010642C6A9BBBBEB3660C6FC658B00E8370CD3647C65AB7D403
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...L..............!......................... ...............................0.......i....@............................._............ ...................B..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@....L...........:...T...T.......L...........d...............L.......................RSDS.1S..1...OWM+.......api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02....................L.......Z...............(...<...P...................A...|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.137323710017715
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mcElOWfhW4e40V2sms/nGfegD2z2vUtpwBqnajromWWFYg7VWQ4mWNd/wUtpwBq6:mcElOWfhWpLm0Gfeyqql4Gq9ql41iv/
                                                                                                                                                MD5:7001BEE6D2B9189081F4B558050FE106
                                                                                                                                                SHA1:561DD7A7C58FD2599FF8694BEAA908D2E3AAF68E
                                                                                                                                                SHA-256:6BBBC652AC07511AF4126A4A820661EAFAA3903C6A6993E2F5C0CDFF541AE195
                                                                                                                                                SHA-512:301BB940359732DD2E263F6327DF11A3C24F95C8D6396A0E2731B1B9D8179DE196CC54BAF2AB29E6175C66192DB5D6E0513BA01655BC81AF94AC29B02F2E560C
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....y.?...........!......................... ...............................0............@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....y.?........8...T...T........y.?........d................y.?....................RSDSP[c.0..#...`......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........y.?........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20096
                                                                                                                                                Entropy (8bit):7.0461341338880965
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mGiYsFCWfhW4b40V2sms/nGfegnYzkcunYqnajjhEHWWFYg7VWQ4mWSfPNcunYqS:mGiYsFCWfhWkLm0GfMkulJABulJP
                                                                                                                                                MD5:109032959967F8CB078D72E397238509
                                                                                                                                                SHA1:BD80538EDB47F8620D78AE8BA6127E5748AE5889
                                                                                                                                                SHA-256:C05208903446E2BD528F726AF1287BE05243DD6CD1E42359440F9303FB7790BE
                                                                                                                                                SHA-512:B2825341A8FFDFD1317C24A418EA581B513CD4E6628A989AE11E19B51083B29B5A7588BFFBCE21DED5127910B2D486D3E1436E6504595015218F6C84D98990A9
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....<!J...........!......................... ...............................0............@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....<!J........?...T...T........<!J........d................<!J....................RSDS.d3........dn.......api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................<!J....................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20608
                                                                                                                                                Entropy (8bit):7.03929982970758
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mX6vuBL3BBLEWfhW4g40V2sms/nGfegxfoUtpwBqnajroHWWFYg7VWQ4mW3GUtpB:mX6vuBL3B+WfhWrLm0Gf1Nql4lIql4UE
                                                                                                                                                MD5:146E9998951E897A4F7F5A97BAEFA823
                                                                                                                                                SHA1:0B822D157E4A0A21E1192BDD1D559219AC73F913
                                                                                                                                                SHA-256:AC011F904F8AA7C9A2577D959F7E430CDA544CA13A1B3818C69D8514D079399A
                                                                                                                                                SHA-512:3DEECB532E24790405054DE1C63AA5937ECBCED0791AA209B0FD1B0D4E68735A38A96DD86167CA3B1C340DA0C2F8D2A6D33B2E34845DDBFD539941856C22BA5C
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.....X............!......................... ...............................0......(W....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@......X.........A...T...T.........X.........d.................X.....................RSDS.M.i.@.........-....api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..............X.....................(...........G...z...............-...\...................=...j...................(...G...g...............7...`...................O...r...............*...Y.......................;...Z...}...................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-louserzation-l1-2-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):22144
                                                                                                                                                Entropy (8bit):7.049234578377165
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:miOMw3zdp3bwjGjue9/0jCRrndbJWfhWILm0GfUmvyRlZRBpyRlZR8e:vOMwBprwjGjue9/0jCRrndb+pRruyPHg
                                                                                                                                                MD5:2A3DA8E1CD09ACA0FC13BE43848C7695
                                                                                                                                                SHA1:72380005FDE41E6C6B37DB5A46CDB0EFC3D6CB08
                                                                                                                                                SHA-256:C3F671D3B41FFFA444A33F79C0E65DF7CA01E56598E4B2F90E7AF18C77B97652
                                                                                                                                                SHA-512:E4B659AA290A6C256799A76890C296E702316094B132B9BC4B393DC6BFF7640B7E62DE0F05097932291DB411DFB871533F7473CC6C55805F69D75562AAE6DC44
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.....V............!......................... ...............................0............@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@......V.........@...T...T.........V.........d.................V.....................RSDS`7.|7..\f...$......api-ms-win-core-louserzation-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..................V.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20312
                                                                                                                                                Entropy (8bit):7.070779573103326
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mowb1WfhWZf40V2sms/nGfecgV9+D2n4V8gqnajB21w7WWFYg7VWQ4mWh9XinEqW:mowb1WfhW3Lm0GfAQD6gl9i2ywElDuo
                                                                                                                                                MD5:163D64F0558D8D93B86ACD1055EF2CA8
                                                                                                                                                SHA1:5727FFB8CA641CB2B9DABA4FD8341528DD1B7C30
                                                                                                                                                SHA-256:94AF705CCFD2E10D65A06451226ACE0E13EAA1FE5AF9B3F7AB81D96ED0775C4B
                                                                                                                                                SHA-512:74862F8CF84F6D56FF45AE135D685B181C8DC9EB6B0BD20BC5F3C25E656F60A014C89F71A7E5F381AB06B3515454CE836A75FBBE7D2B1C7770656D144ED555C6
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L..................!......................... ...............................0............@.............................l............ ..................XC..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@................:...T...T...................d.......................................RSDS...L.u"...........api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02............................................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...|...................=...................................api-ms-win-core-memory-l1-1-0.dl

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.118060661272197
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mtWfhW4d40V2sms/nGfeg4KvHcunYqnajjhEbwWWFYg7VWQ4mWc04XmJcunYqna3:mtWfhWSLm0Gf1vulJYQCEaulJGFi
                                                                                                                                                MD5:1922B0A9AB3CBB0F4A93C0DF1E812996
                                                                                                                                                SHA1:C3BB5C4682DD0CD16D828EE96E6CD02C047D8F44
                                                                                                                                                SHA-256:89C930D2E4482799F4F0F040B994C457310912ED1BBF2A4B61E58CC98F31F0D5
                                                                                                                                                SHA-512:10464A4027A62815A29DD888E870186F3C3ED809080784465EB5577051B42AE3064949C4FE8F4ABE846B1253562436EDA4514EBCDC8FC9D73A7D68F0FA8646D5
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...R.............!......................... ...............................0.......9....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@....R..........=...T...T.......R..........d...............R......................RSDS..k3"1...?F2?..S....api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................R......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20608
                                                                                                                                                Entropy (8bit):7.047016382155319
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:m+XWfhW4540V2sms/nGfegNhoLyFqnajmI6YSdrvOWWFYg7VWQ4mW+WE4tLyFqn3:m+XWfhWmLm0GfUolp6YSJGCDtolpqi0
                                                                                                                                                MD5:114A2B70FDCF21357F3070DC0C070B3C
                                                                                                                                                SHA1:466C1006877E63F404269990DA6926057CBC4CE7
                                                                                                                                                SHA-256:D91F680B1F54DCCEDDD9EAD63DC08EE11845803F2CC6DE7C545335803016F2D0
                                                                                                                                                SHA-512:AF75ACA3FBD6430EB2975CC6339501ACBFD31F4DFB6EB9D3493448946FF301E9EC0BC252AB679CC2508ADA510B15BDBB0DABE002CE2F7E4F1C1B437527C76667
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...~B;............!......................... ...............................0......+c....@.............................G............ ...................B..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....~B;.........F...T...T.......~B;.........d...............~B;.....................RSDSy..v5....g...4.....api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........~B;.....................(...|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):21632
                                                                                                                                                Entropy (8bit):7.05517667943922
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mz+yffk1JzNcKSIlWfhWkLm0Gf6ulJEgSulJ8:ZhcKSP9RD
                                                                                                                                                MD5:A66BD19055465D56D2918BEAAFCB6A04
                                                                                                                                                SHA1:106973CC2E03293CB4A03826F843D387431666F3
                                                                                                                                                SHA-256:3129F7B002B724CDA522230CA7A9CB4B24F0679BF572D4FC990058D6B36CC293
                                                                                                                                                SHA-512:873A9E63608D70725E6046999E36B15DC99E362E0BAFA4DE1CCEBC09BF7123D6BC5D21DFF1F778F8B8CD3413B45B82344784F9F2E1B31F54AD34CB3A2754F0A2
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L..................!......................... ...............................0......J.....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS.^.7u....k...e....api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20096
                                                                                                                                                Entropy (8bit):7.0898045680031965
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mhbD9DfIeNWfhWuLm0Gfiolp6zgSSolpqdQ:obDGeqvRB
                                                                                                                                                MD5:1F462654C1BBC1CED7E4D8E879732E14
                                                                                                                                                SHA1:A56A7C4154870DB07395D50F4D8D963E4CCE92AB
                                                                                                                                                SHA-256:B8E6DECEACBC5F8E483AD076196DF819377D2731E146EB4F48C5A59DA9ABDD65
                                                                                                                                                SHA-512:917EDFC5CBF3F82708D6CB84A2AD31C41B1B02CF44A921B6934BFF614B69D0754115C35AAF4D181085A4B77EBD816FE06CB9DEF01ADDC5C68846DA0850FE8CCE
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...N3=............!......................... ...............................0......fQ....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@....N3=.........B...T...T.......N3=.........d...............N3=.....................RSDS."..../...3......api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............N3=.....................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19072
                                                                                                                                                Entropy (8bit):7.145159778335249
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mpRWfhWWLm0GfE/TTXZl1O2FcsBOvTTXZl1O2:X7R9U+WU2
                                                                                                                                                MD5:E52748F87B1F5905FD6D562533523C33
                                                                                                                                                SHA1:C1F3B2B6BD929BA6B4DEB79498204C9A5E0D5FB7
                                                                                                                                                SHA-256:B1E857E184818A6FA21E44C658FA3D6A752881CE909B18CC2D677DBA0E2DB87C
                                                                                                                                                SHA-512:25C80C468E43DF617C0E18D06697F14C3BB1594B233DD7CEA5AA76D49730AEBA9E5F7D435ACF9FF40A8DC66D9431721D44F2740EA34B1B667A0C7BB8FAA78F74
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L..._;\............!......................... ...............................0............@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@...._;\.........;...T...T......._;\.........d..............._;\.....................RSDS..v...{O.0j.v.5T....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................._;\.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19072
                                                                                                                                                Entropy (8bit):7.148295358874073
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mgrGpWfhWeLm0GfkSTTXZl1OI4vTTXZl1Ozr:hGeXRMU1Uzr
                                                                                                                                                MD5:01EE5032CB31B9A83C6B0EAED810315A
                                                                                                                                                SHA1:36CAD637293A5B01C0E0ADBC16C55A37992B15C3
                                                                                                                                                SHA-256:A2CEE2281A78F0A58F2A6C1E735F1725E96512C5DEE49F021C549CAC3C618BA7
                                                                                                                                                SHA-512:58B857C589870D2C4C3FDCB61198CF6C49BA5496B86B8EE6B60805D08B7DA712674B41F1014433F125C1DB5E255E18B5E2911C278316174FA54BAE07F3C6B986
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....6.............!......................... ...............................0......uu....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....6..........>...T...T........6..........d................6......................RSDS.E._).(.*R..&.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................6......F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.110894151935855
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mUyMvNWfhWrLm0Gfxolp6rBnbCLolpqSX:zyMvq2Ro
                                                                                                                                                MD5:7DD35C4BE2EC4D74946177698990B1BB
                                                                                                                                                SHA1:B35FB40DCA5F76F2FF9BCC0956659A834310E8BD
                                                                                                                                                SHA-256:AE67D1BDA3D9C10560819E9E02BA475AEB3F7DF7E8F73586D546F44BA6EF8046
                                                                                                                                                SHA-512:CAAC4E0E8BBFF5E83964EA1502A96113FB1FD421F32FE70029352A533F4B95C826C827EE57C0D1C3D47C5E3B792CFD8C5C1477A6485EEF6299601AEEA947E684
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....y.............!......................... ...............................0.......F....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....y..........:...T...T........y..........d................y......................RSDS...%..E......a.....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................y......x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):21632
                                                                                                                                                Entropy (8bit):7.017538621380962
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mjjdv3V0dfpkXc0vVazWfhWSLm0GfYql4KQXql48t:Odv3VqpkXc0vVaQ7R4
                                                                                                                                                MD5:EBFC306560273B257D3A1EF9861E35D6
                                                                                                                                                SHA1:7834FB653634A181890531FB3E91C55EB0ED5745
                                                                                                                                                SHA-256:85AA1CDDDDA9EC9EBA75F68CD98FC43430F1ECB68B957A7B70A7A6049FEAE76F
                                                                                                                                                SHA-512:BC3AA3B7AC552912C3DD405A3B0F0218DDDDAE459A16EDB99C1870B020D41102762B24315BE5B55781A8EAFE99195888EC9F976842DE165B95C423C43FC90A7D
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...+.QX...........!......................... ...............................0.......a....@.............................V............ ...................B..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@....+.QX........9...T...T.......+.QX........d...............+.QX....................RSDS.#.wA.o..=K. ......api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02....................+.QX............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20336
                                                                                                                                                Entropy (8bit):7.110756057756866
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mGtZ3cWfhWKLm0GfrgW2ZlxrX/78861yRlZRB9:lvRQ6HSyPL
                                                                                                                                                MD5:5A8978023B93C8C369D3696C8251B71D
                                                                                                                                                SHA1:1FFC61471C2F49A80D5E3F83DF2A9010D3C5A1C7
                                                                                                                                                SHA-256:DBA254B1446808887D452BCD6C27685462C39DC2F1DA181765F0898B4EB1B953
                                                                                                                                                SHA-512:53AE57280E593D886B609D55C313E2EF208C3F0CE53B5D015F57AAF3CCE901A192EFE60B24D9E9B5C6E9EF7779C9103A951E813780A53D12A27680965E5B39AD
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L..."Vnl...........!......................... ...............................0......q.....@.............................v............ ..................pC..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@...."Vnl........9...T...T......."Vnl........d..............."Vnl....................RSDS..X......_...]....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02...................."Vnl....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...|...............H...................A.....................................api-ms-win-core-synch-

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20608
                                                                                                                                                Entropy (8bit):7.039125974335496
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mtd2VWfhWLLm0GfEtTTXZl1OzjTTXZl1O2:EsyGRLtU3U2
                                                                                                                                                MD5:B816BD9EEF2ADF08D27A22620FECA795
                                                                                                                                                SHA1:A8B8D1CB1E2FDC605449CD17C0E2F62DB582B266
                                                                                                                                                SHA-256:4214F1C07C4ABD241634CDE318F4F73C9D1AEB931413C4245B6C61F77F3B54DB
                                                                                                                                                SHA-512:D78616F681CEA3317B9FFB86AE7B11778B90F47CB57FA92F8C8666F6E36FB6831E38C37D2FC9F5C81E743F8B77F25CCF657F28FF8B5F0599D70CADE5C9EC9BBF
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...g.ih...........!......................... ...............................0......!!....@.............................E............ ...................B..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@....g.ih........;...T...T.......g.ih........d...............g.ih....................RSDS..$(..v6."...8....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02....................g.ih....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20096
                                                                                                                                                Entropy (8bit):7.094727992749103
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mMsjWfhW4y40V2sms/nGfegUbTcunYqnajjhE4NWWFYg7VWQ4mWQWMcunYqnajjp:mMsjWfhW9Lm0GfMTulJ1sMulJv
                                                                                                                                                MD5:ED3A91953D5CE03D65BD90FA46C1E29D
                                                                                                                                                SHA1:92CDAC4071850AC96759AE77A0B3C5F6BEBDC2EF
                                                                                                                                                SHA-256:35EA6EC01E55108182C743B47FED5BE381ACF295982BE87D92B4588CCB71240D
                                                                                                                                                SHA-512:EDB4539B6081E73BB410668C420D437A0A746FC4ABA28F7F15F7A2DEBC8BF8EB11E03F38957B438BFB95E86652B44C1BDB0162F449146DF467FF5E1DE281E56D
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L......E...........!......................... ...............................0......}c....@.............................E............ ...................B..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@.......E........<...T...T..........E........d..................E....................RSDS.:'.n..B...Ot......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02.......................E....................(...\...........*...f...........C...............9.......................H...........%...j...............b.....................................api-ms-win-core-timezone-l1-1-0.dll.EnumDynamicTimeZoneInforma

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19584
                                                                                                                                                Entropy (8bit):7.068259403592196
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:m67WfhW4m40V2sms/nGfeg58qUtpwBqnajro+tWWFYg7VWQ4mW+taUtpwBqnajrq:mAWfhW9Lm0GfCnql4+r5ql4J
                                                                                                                                                MD5:D8E04BF7A8FEAE0CB8AFE43A87D9EC93
                                                                                                                                                SHA1:8FC010890F4AC7A8117DD5C3DB21171A49EB6F06
                                                                                                                                                SHA-256:E1000EF817A5D8DB82D1D58022C7EE3E1EDFFD2F9DA15781902A4DE2B71242E1
                                                                                                                                                SHA-512:116BDB64752DCB30D0557B2CF1A09FF692D621F0844CD59D69813DD0FD47735B0E1DF34D077BBB4BEA563655CA3460437A644BA26897026405AF573035D9032E
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...PA.!...........!......................... ...............................0......b9....@.............................9............ ...................B..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@....PA.!........8...T...T.......PA.!........d...............PA.!....................RSDS.....n..}..n2.B.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02........PA.!....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20824
                                                                                                                                                Entropy (8bit):7.059815605764812
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mh2WfhWUG40V2sms/nGfeQ7ZgcunYqnajjhE34WWFYg7VWQ4SWhlIkBRkvzSEqnh:mh2WfhWpLm0GfKulJ4Y2B2zlxCHD9
                                                                                                                                                MD5:53F2E4EC1EFE147F8DF45E4AB05A07DE
                                                                                                                                                SHA1:AC03A30639A717B4895407E8D153F8919FF5BBBB
                                                                                                                                                SHA-256:B79BB037437212A95F18B1110A907A0F474878F40A7BB906F297EB5D24352E6A
                                                                                                                                                SHA-512:B435470311ED47F163CF42ADB6334A9CAA906580925D19E9FEBF3C979668C62E25D8232FD5BCEBF2F86307708AC165D7E62608C7225C1AEB7ED1530AECB7C288
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....n............!......................... ...............................0......L.....@.......................................... ..................XC..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................n.........8...d...d........n.........d................n.....................RSDSC..T~.~.:GmfY.......api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........n.....T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23680
                                                                                                                                                Entropy (8bit):6.907363857066376
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:m4uyxWfhWDLm0GfCjyRlZRI63m1yRlZRYy:YiRZjyPLW1yPYy
                                                                                                                                                MD5:2E7FCEE0944D063D8528399F22C9B2B7
                                                                                                                                                SHA1:05A68B73E778817F52885E6F27800E99125EFDCA
                                                                                                                                                SHA-256:A38F46FE1A1BBA3A8C7CC942BAC945413C5C0E992CA599F9F09181B7F5645F52
                                                                                                                                                SHA-512:DF689DE14369D858412B79156ACD8E2FCAFEB45793EAC91F1CE0CBA37BCC2E88C53533934647960176C48133C1E5383F406EEF859BFB5231F49730ACF4320D95
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.................!.........................0...............................@...........@..........................................0...................B..............T............................................................................text............................... ..`.rsrc........0......................@..@v..............................:...d...d..................d......................................RSDS>....vqN...@.k7g....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02...................................z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20096
                                                                                                                                                Entropy (8bit):7.050637010722872
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mKWfhW4W40V2sms/nGfegb8RDinEqnajxBAlWWFYg7VWQ4mWCcginEqnajxBrk:mKWfhWdLm0GfPElDGaElDrk
                                                                                                                                                MD5:F966B9FF936D60DE02C37B16B9D23E4E
                                                                                                                                                SHA1:7DFFEA259D7E5FFDF005900AC9417319ACC66F33
                                                                                                                                                SHA-256:90788CC217E4F5E78EC988061552FCD1C1A3AB61C6DF3DE132AAE606383FBC27
                                                                                                                                                SHA-512:BC27F4871E872D76B89D7F0BA5ED7D7062A04218BDF9A741598BFCE82CD788E866D2C20513594726948E1701BFDB17AFC2280405B0D994AAA3CD2EBEFC1C8CF7
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....<i*...........!......................... ...............................0......q;....@............................."............ ...................B..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................<i*........>...d...d........<i*........d................<i*....................RSDS.[.lv.C.8...u.......api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................<i*....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):21632
                                                                                                                                                Entropy (8bit):7.053266964111186
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mZ5q6nWm5CpWfhWhLm0GfL9FBulJakAUulJk:d6nWm5Ce8RYFFC
                                                                                                                                                MD5:735D7E5AE0A53B644482F5E70EFEFF5D
                                                                                                                                                SHA1:8E99689CF9D24AA4268A51BD377015E9D9AD7F64
                                                                                                                                                SHA-256:E9D88AA96743AA2FF29AC8D7930BA0C8EBB21372329A1BF5926CCE59A4B39F4B
                                                                                                                                                SHA-512:12239D14A634B7CDAA07E39186B674BC905F73C928DB5230752407650F274BD401D10487B3AC2C426CC8DA708F0CA6FBAFFC2A5075E299901961BD205AD7BBD8
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...z<x............!......................... ...............................0......z.....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................z<x.........=...d...d.......z<x.........d...............z<x.....................RSDS...g..NL..y..B......api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................z<x.............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20608
                                                                                                                                                Entropy (8bit):7.028912384164698
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mzyY3vY17aFBR0WfhW4j240V2sms/nGfeggbtcunYqnajjhEJWWFYg7VWQ4mWBNT:mGY3eRWfhWkwLm0GfgulJiYkulJT
                                                                                                                                                MD5:6521CF7E6A66C747726FD09E51A1F92D
                                                                                                                                                SHA1:B89168C27063A2B4F81C69DF4CE23F144B55BCC4
                                                                                                                                                SHA-256:DC8AE6136313ED0EE26AED6E9D3A192413D62E12C7C568FAE5A7ABB784CA4C72
                                                                                                                                                SHA-512:03A63ED3C2E0BE3E1E918EB01E5FB722BE06D8E32179782ED3F7106048F522426BDA045CD3AE605A066403BDED2621923A8C33D075BF8E11B58C432A69481AC2
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....-.............!......................... ...............................0......~O....@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................-..........7...d...d........-..........d................-......................RSDS..y....o.e(.........api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........-......6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20096
                                                                                                                                                Entropy (8bit):7.103216025649315
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:m8WfhW4Ru40V2sms/nGfega00LyFqnajmI6IaStMWWFYg7VWQ4mWdZEhvLyFqna5:m8WfhWg4Lm0Gf2olp6Iaus5olpqSOO
                                                                                                                                                MD5:281399C6A7CA9C52C6B20C78938EC2D3
                                                                                                                                                SHA1:5E76793588075EDAEEDAB8D30297D9A8031C74B5
                                                                                                                                                SHA-256:58E0F4AE04529A03BC5A453CDB891FCDAF82E4D7EC2757B3F88F5F967407FC94
                                                                                                                                                SHA-512:459FE7CB8433FA23DC765894B78C1E2FD007AC3ED659D6F4FC9191A589E349107F7C4C03718E34C9A9231324FDCD970FAE75E2772C153A97001933869628A7E6
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.....G............!......................... ...............................0.......k....@.............................e............ ...................B..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v.....................G.........9...d...d.........G.........d.................G.....................RSDSgnH3...0.`cv.a......api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02......................G.....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):30336
                                                                                                                                                Entropy (8bit):6.6715856310709265
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mnOTEmbM4Oe5grykfIgTmL2WfhWHLm0GfwETTXZl1Oi4GtTTXZl1Ox:0EMq5grxfIn3qReUi5Ux
                                                                                                                                                MD5:2B20BC164F817FFBBA1B547857B0DA2A
                                                                                                                                                SHA1:C40095898CFE64C6132E81090333317563184C3C
                                                                                                                                                SHA-256:A7A4BA2270AE7E5679FF9413D1E53BA706A95BEC28C906DE378AB4B1A8FBF6E7
                                                                                                                                                SHA-512:A760294CD9B9F3C0C9C0EC4800536DF874EF7D3757CAD9469DA96C293187A9382867F332CAF714F91C9059A90A3DDA7670B265F3A5E2339B9E12CA05EB373E56
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L..................!.........................@...............................P............@..............................+...........@...............4...B..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSQ......!?.Qh../.....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):27776
                                                                                                                                                Entropy (8bit):6.714642405741482
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mNy+Kr6aLPmIHJI6/CpG3t2G3t4odXLVWfhWZLm0GfXTTXZl1OutlTTXZl1OjLs:0ZKrZPmIHJI6k0RKUQlUM
                                                                                                                                                MD5:E92BA8AB3BE45A5FA0B0439966583D8B
                                                                                                                                                SHA1:88EC890850A4D531476151DDABB6F6DEF5D87273
                                                                                                                                                SHA-256:F65BB318BE803581780FED95F57D0FD7B5C1B0E070E0062A8D06E4E5DDE4C9EE
                                                                                                                                                SHA-512:4A5D11DFB7ED1C95EB2B839C9A094F7A8CD32E78D3AF9F1EEFE52857D9B17CC69649638B8AFD8AE581518CF9B223C352CCDF84A46990AC56B57577502A9035DC
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.../(B............!.....$...................@...............................P.......R....@.............................. ...........@...............*...B..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v.................../(B.........<...d...d......./(B.........d.............../(B.....................RSDS..f".T..'...GH.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02..................../(B.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-private-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):74368
                                                                                                                                                Entropy (8bit):5.863254204082799
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:tHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPR+l8:/7De5c4bFE2Jy2cvxXWpD9d3334BkZnA
                                                                                                                                                MD5:8FF98E2CEB2724D9C7CE121A75036560
                                                                                                                                                SHA1:5D0EB20C46C4C1CE1C188A5C3CFAF416617A58FF
                                                                                                                                                SHA-256:80EC395C2C5AD8B9728784D6AEC611E0CE7A5DDEFEBEF093235B420FDB74A7AB
                                                                                                                                                SHA-512:C029A78834236A6A4616EE93E0D06E44E880560C354A4872489D24497133462E8629C03AF707825FC6FD447437922C863E5395F0851D5B19585BFFA42D9CE4EC
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....@.@...........!......................................................................@..............................................................B..............T............................................................................text............................... ..`.rsrc...............................@..@v....................@.@........:...d...d........@.@........d................@.@....................RSDS.cp I/...TQ.IYk.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02.....................@.@.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20608
                                                                                                                                                Entropy (8bit):7.044150978413532
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mjRQqjd7xWfhW4I40V2sms/nGfego56VUtpwBqnajrofWWFYg7VWQ4mWhM4BuUt2:mjKAWfhWTLm0Gf6Xql49t4Rql4+
                                                                                                                                                MD5:4BFD59D316C51AF7C1F7D347477B5629
                                                                                                                                                SHA1:96B6291180AE0A12B8A650557291FF60C1243367
                                                                                                                                                SHA-256:57998A0A8168A75EB8E5958019B29F86EDEE70931BDBCC18E06C9B93F4B70CBE
                                                                                                                                                SHA-512:CD9620909EAA85151EDF996D506A6969D4F892FE11939158513E14C9E73C862EEDDA61FAAD3EB28E55F3EA10347253E5B7BDFAEE624DE6C514FDB4F902D085FA
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L....e1)...........!......................... ...............................0............@.............................x............ ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................e1)........:...d...d........e1)........d................e1)....................RSDS..y..S....S..+w....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02.....................e1)............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):24192
                                                                                                                                                Entropy (8bit):6.925723262316116
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:m8b7hrKsWfhWgLm0Gf3WElDupsXKmElDatc:1bNrKFxRNCXKmfc
                                                                                                                                                MD5:F24259DABE9905BF00EEF0374053937B
                                                                                                                                                SHA1:B1949C85CFAEB2B2CDF99B51D3191E4E3BD0DD54
                                                                                                                                                SHA-256:F99A3F408880834CE3C762FB434CEA98C87BC6DF19B63D509D1093F2295BBC8E
                                                                                                                                                SHA-512:FC46DB162BA62B46106C7B5C942E2EE186B126DEEBB8F2E48DAF9892620D4B4ACAA244FB4B65E1E6F02E06072A8B61D95E49E2ECBFA676CEDC361735ABB34F01
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L......f...........!.........................0...............................@...........@..........................................0...................B..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................f........:...d...d..........f........d..................f....................RSDS.....`$......%....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................f....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):25944
                                                                                                                                                Entropy (8bit):6.863020480984782
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:mFZpFVhXWfhWlLm0GfdeAplx4bZo57ChElDvkcs:4+QRWa25726Xs
                                                                                                                                                MD5:5F158413A85E905B0CEB5AAA1AA35F28
                                                                                                                                                SHA1:8807FA016B184AE6E8B66177BF34F1810F5D6095
                                                                                                                                                SHA-256:93780B67E8FF9DD076CC67C620D1BAA7B5518ECB5CF45ECC1DBF92E6BAFCF646
                                                                                                                                                SHA-512:E20E433E45AC817F74FCA61BE03BB9A998ADFB2038B50F4476BCB2FCAF0E09236844DC2A9FA4200724D62C646AA9EA5AD315E51FCB4AA9FBF1ADD1A55A735983
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...1.............!.........................0...............................@......4"....@.............................a............0..............."..XC..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...................1..........8...d...d.......1..........d...............1......................RSDS....i..y.FBW.}.....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02........1......^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):25728
                                                                                                                                                Entropy (8bit):6.8554752256758285
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:A6S5yguNvZ5VQgx3SbwA71IkFD0RL/wF1T:Al5yguNvZ5VQgx3SbwA71IEEL/iT
                                                                                                                                                MD5:C04F55920B25221F81575231BBB5E4D7
                                                                                                                                                SHA1:B0A65C6EE855E49A4A1D937572F7AAA7B6D9539A
                                                                                                                                                SHA-256:C87E13D8FB07CDF07DEB3222270AFEC1DE7FC7E481A9FB22068EEE74F2A60685
                                                                                                                                                SHA-512:2159DE09AE92D8A88FEB7EB1D0072B928C726FAD94A3A72D3523FB15E41A2AD9CB26AFFDB23CB3D6441FD2B377F29B3DF5CD7E0DB0EC48871C9DCDAA35A4A000
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...#............!.........................0...............................@.......U....@..........................................0..............."...B..............T............................................................................text............................... ..`.rsrc........0......................@..@v...................#.........9...d...d.......#.........d...............#.....................RSDS.Hx..iz.u..X..+)....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02....................#.....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):22144
                                                                                                                                                Entropy (8bit):6.999174516724751
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:muJD2WfhW4g40V2sms/nGfegRnLyFqnajmI6DllKWWFYg7VWQ4mWvaDLyFqnajmi:mucWfhWvLm0Gf9olp6DufolpqjC
                                                                                                                                                MD5:32ABF928EC4678C2BD68A894DA7DE229
                                                                                                                                                SHA1:ECCC5E68ECF49A8BC448B88A6A8887A570CE47D4
                                                                                                                                                SHA-256:AE60603ED90D3CE024A9C05BDAC449ABB34BA43251241A27298F4A717A27C249
                                                                                                                                                SHA-512:0E71BA1249F65E05461C3E416876502104DC302131312D44151EBDE2D95DF9433B6FAEEA3CA0E1AFE5831172D59EAF3F348735609894E5ECEC3F8D31D199AB2B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L.....]............!......................... ...............................0............@.......................................... ...................B..............T............................................................................text............................... ..`.rsrc........ ......................@..@v.....................].........7...d...d.........].........d.................].....................RSDS4duw.pS...,rO.......api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........].............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20096
                                                                                                                                                Entropy (8bit):7.096938225987261
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:mSfHQdujWfhW4y40V2sms/nGfegy280LyFqnajmI65DWWFYg7VWQ4mWvGQBXLyFz:mSf9WfhWFLm0Gfbolp65xWnolpqDOd
                                                                                                                                                MD5:59BF6195153EAB0D466F501BF8F14F68
                                                                                                                                                SHA1:E6E156D6C3EED6B4190A266F7374CAFAC8AD1C07
                                                                                                                                                SHA-256:28AF247ECA739D17FD68979B8C5067DEAF85D4BF8478F480D00DC0337C06F47C
                                                                                                                                                SHA-512:ABD4E96C6E1F54E989E3167402188136ACA172CD926E9910A456094BCD0FADE2F0EAAC97887DCD1BDEF658D8B6D5606A9A493D6B0687653A0496228CF1907ECD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.PE..L...r..............!......................... ...............................0............@.............................^............ ...................B..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v...................r...........:...d...d.......r...........d...............r.......................RSDS......~.^.."$h.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02....................r.......d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...|.......................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\concrt140.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):250336
                                                                                                                                                Entropy (8bit):6.67586623508473
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:aLh9nrxRw13UyU2G8g1QYYZTDt3n2x+Bdv5zsSiBsTYrPlUEYD/QzkRWAFcOv12H:cInTDtXF15zsSiyZ/0OkzT
                                                                                                                                                MD5:35628D71CF20D4F8AAFB0ABA8DF14B70
                                                                                                                                                SHA1:F48307AA9C2E300C38BD06C1780AC663C67045E2
                                                                                                                                                SHA-256:B2C8A0FBCD4C2EB9BC1AAB03F8FDB2D72D78573A54F3E83D44C95246C4F2D168
                                                                                                                                                SHA-512:F69C6DAE3FF3328C83ED6A03B31DA7207F845AE463A9B20B47535EA5EF31041CE544A47F0CE339C016A02BC16320046A4BC0D82F1DDABAA6008FADFDBE5F4AB7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......uc.&1..u1..u1..u...u3..u8ziu;..ucj.t4..u1..u...ucj.t:..ucj.t6..ucj.t`..ucj.t0..ucj.u0..ucj.t0..uRich1..u................PE..L...|.0].........."!.........v...............0......................................\X....@A........................`....K..(b...........................A......P,.. <..8...........................X<..@............`..$............................text............................... ..`.data........0...,..................@....idata.......`.......J..............@..@.rsrc................\..............@..@.reloc..P,...........b..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\curl-ca-bundle.crt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Unicode text, UTF-8 text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):221418
                                                                                                                                                Entropy (8bit):6.002302055829603
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:c4597qxzbd9+faNR6md4tL2b02dTCkMgS1:c4fKYC76O4tLe0mtMP
                                                                                                                                                MD5:E48E896B4C1D16F92885E580FB2A3D08
                                                                                                                                                SHA1:42272157C20F4E00A1A3797DBF7DB44FA0EEB478
                                                                                                                                                SHA-256:313D562594EBD07846AD6B840DD18993F22E0F8B3F275D9AACFAE118F4F00FB7
                                                                                                                                                SHA-512:D4E6573B3BBD6C5C63C5E77FFA79B05171F59C27C0ED458EBB00B42FEF300DD17E42DF2C91FA8DA44CC37420785CE5A4BB083487BA66D3CAC9D858B129FD3745
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:##.## Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Tue Dec 8 04:12:05 2020 GMT.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt.##.## It contains the certificates in PEM format and therefore.## can be directly used with curl / libcurl / php_curl, or with.## an Apache+mod_ssl webserver for SSL client authentication..## Just configure this file as the SSLCACertificateFile..##.## Conversion done with mk-ca-bundle.pl version 1.28..## SHA256: d820b8696d8ffe42064a1384a56a8981cdc7e7e198036bbb5fa04a6c282dd9a2.##...GlobalSign Root CA.==================.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx.GTAXBgNVBAoTEEdsb2Jh

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\groceryc.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):377344
                                                                                                                                                Entropy (8bit):6.622534273704378
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:x9xgkX5l8K7Y9VrK5a+OeO+OeN7VBBhhBBV0r04pg5RLrnlwcXsZTsOVo2r3RrEj:BzJlzY9VrKA+OeO+OeNhBBhhBBV0r0Tt
                                                                                                                                                MD5:5BDE978A0FEBD4A59DE0E6B835180389
                                                                                                                                                SHA1:1C522FF3FA433A2302BFA6538C4460CE04833EE6
                                                                                                                                                SHA-256:74C9D82BEBEAAECB50001FF0B1EE6EA129FC9DE3C6A673D29D3E12615B75B3C0
                                                                                                                                                SHA-512:AA598C8C1A0F701C22FE38F53693E5F6C4FF855F66FD568DDFCB5F46CEF058773038F947236D21442575C63E77987127F7FDB1FE2B7223109C25FD0411220318
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..*...*...*.......*..+...*../...*......*..)...*...+...*...+.3.*.9.#...*.9.*...*.9....*.....*.9.(...*.Rich..*.................PE..L.....8d...........!.....J...................`............................... ............@.........................0D.......E..T.......H........................F..0...p...................@...........@............`...............................text....I.......J.................. ..`.rdata..b....`.......N..............@..@.data...|R...`...2...B..............@....rsrc...H............t..............@..@.reloc...F.......H...z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libBasic.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):247296
                                                                                                                                                Entropy (8bit):6.644600107772828
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:WSnzYzTHnI3Rdo1LmMlph3dsrGZJFj57Bv23ha:WSnzYzTHn0/el3GGZJFj57Bk
                                                                                                                                                MD5:4DC44D5151384FA688D01DFF77E7BF97
                                                                                                                                                SHA1:E538146BE27B44AD54FD857A17C518EA7096A22E
                                                                                                                                                SHA-256:F490DB01D8A604117856FF993726456B6D3AA087B017C8CBC5ED1B917CD4DF57
                                                                                                                                                SHA-512:56933D16050765E0262BD38BC96EE9A71DE4AC28C6748AD908C08955FC5463FEED5966481176354570404923CFC3FC699A3D93E0470807A26613BA3AC6AD5F32
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........\.._=.._=.._=..VE..O=..:[..^=....Q.^=...U..U=...U..W=...U..D=...U..[=...T..]=..:[..K=..D...\=.._=...<...T..C=...T..^=...Ti.^=.._=..^=...T..^=..Rich_=..........PE..L.....Cf...........!.........$............................................................@..........................+...P..T|................................... ..0...p...................@...........@............................................text.............................. ..`.rdata..H...........................@..@.data...............................@....rsrc...............................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libI18n.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):25600
                                                                                                                                                Entropy (8bit):6.131271371333226
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:VaMPU1GymFFngDmQ7aGFFOsYpSaw2K6q7Crq/Fc9kYpSmgqX7xVJJuYm3EbcEccS:eswO59/XzJU/3EbcEccfPu5/ybO5
                                                                                                                                                MD5:602AEEC43305021DCEA0103BFD6167AE
                                                                                                                                                SHA1:1EEF22E0C1A076CF88FBE875974D0DD4D40E4D19
                                                                                                                                                SHA-256:33E177DB21F3F21B7D8CBE0D87E92042F3E45F892491046A26FBA1E989E2C38E
                                                                                                                                                SHA-512:921E2B8BE67B8180F0C77FB186D03C02ED3F5C3AA492618A399DE3F72113161D131D081D0A34DD9AE8DC1B1218601154BF4281E5511679683389F151399A6165
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,7|.hV..hV..hV..a...lV...0..jV..:>..mV..hV..FV..:>..xV..:>..bV..:>..iV...?..nV...?..iV...?.iV...?..iV..RichhV..................PE..L.....7d...........!.....B...".......E.......`............................................@..........................m..P....o..x...............................\...@c..p............................c..@............`...............................text....A.......B.................. ..`.rdata.......`.......F..............@..@.data...|............Z..............@....rsrc................\..............@..@.reloc..\............`..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libIPC.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):38912
                                                                                                                                                Entropy (8bit):6.207215331431973
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:9hzC6FBPeS1fK4n+HlGcIMtIHVV9oRZcJkwRq2VGfAxG:9dCyPeS1f0lDIMkVSRZ8kwRq2VGAx
                                                                                                                                                MD5:D1660B41526893100437AC9CDAC8E217
                                                                                                                                                SHA1:F161EBA77809727F66D1202BD89EFD34562CF0DA
                                                                                                                                                SHA-256:A07FEE0A240656A22F8C713D4E036383D08F0C31730E8985804677A6297203FF
                                                                                                                                                SHA-512:07E696BF7EB0C1D5F6DC0D334A16466489662A8FC38C3E7E9A92DE30319EE542331CC0C4966997C7CCE74279B767E9C26D5EA783E5CB70C4DECC61F83F5B46B7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...ru..ru..ru..{._.xu......su.. ...`u.. ...xu.. ...qu.. ...vu......vu......qu..ru...u......vu......su....3.su..ru[.su......su..Richru..........PE..L.....we...........!.....`...8.......c.......p............................................@.........................@..................8.......................L....s..p...........................0t..@............p...............................text...._.......`.................. ..`.rdata...$...p...&...d..............@..@.data...l...........................@....rsrc...8...........................@..@.reloc..L...........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libRG.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):56320
                                                                                                                                                Entropy (8bit):6.28107185030795
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:0g6WGrXFKjLkpcYnwFof0T8DoJxizXb43ijB2RzNSkZXtsLyrFxjmlR1:0g68LkpcYaG0Jxizk3ig+k12ypxjmD
                                                                                                                                                MD5:90C5A4208AA1AC6DAFB6189159CD7E10
                                                                                                                                                SHA1:7DF05CAA1DBBFA7D8F65ABEAA2D5B3A49AC66032
                                                                                                                                                SHA-256:17927AE7A1E834DD150C5C26E21F68DFA6404A813DFE1A1C33D0DAD446BA3489
                                                                                                                                                SHA-512:E0FBA99AC770A15338A6F06C94F99CE948CC9406444799BBA7EED2514F122F0062DC330C2E67BD41F0235D526FCA232974C9D19B40C9C1C5E0ED01E82494BDBE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Ot.Ot.Ot.7..Ot....Ot..'p.Ot..'w.Ot..'q.Ot..'u.Ot..)u.Ot.Ou..Ot.8&}.Ot.8&t.Ot.8&..Ot.O..Ot.8&v.Ot.Rich.Ot.........................PE..L.....Ad...........!.........>............................................................@.............................|...,...........(..............................p...........................`...@............................................text............................... ..`.rdata...%.......&..................@..@.data...4...........................@....rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libUpdate.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):65536
                                                                                                                                                Entropy (8bit):6.359986452847881
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:RL/ftxkxHcPrB/cEtQV0bTydy8sZq6FwErl5nZFyfQe3egh1rec8f:RL/fEqPrBZQV0bmw8JejZFZe3egh1reV
                                                                                                                                                MD5:8254B2B4065959E64ACA2C91C2FCCEA7
                                                                                                                                                SHA1:483591ED9E282C6C6726D0DA557FA783ED9A798C
                                                                                                                                                SHA-256:BE195001A8B43DDA8F6193623133E51D378E08094E5AB8F29174A35299EB4E57
                                                                                                                                                SHA-512:4C1777D500CC7198E155142A9322E26A4DC7B392E21948F94A2AAF64BEB1B02D3643B7AAEF3F6AF1BB33D324CD571FD06C3FBC672ABB577CAD3FD0F10FBEE529
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........>4.._Z.._Z.._Z..'..._Z..7[.._Z.}...._Z..7_.._Z..7^.._Z..7Y.._Z..9[.._Z......_Z..)..._Z.._[.._Z.H6S.._Z.H6Z.._Z.H6..._Z.._..._Z.H6X.._Z.Rich._Z.........................PE..L.....fe...........!.........Z..............................................0............@.........................0...........@.......@.................... ..@... ...p...............................@............................................text.............................. ..`.rdata...9.......:..................@..@.data...............................@....rsrc...@...........................@..@.reloc..@.... ......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libcrypto-1_1.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2420360
                                                                                                                                                Entropy (8bit):6.6336371574975415
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:D+MGxeMqH0XTQD+QmyuIaX/eayh18cwSizEK1ly6ajezGp4B9QESo0jUsDs/TpyY:7GYDgQaQm3IaX/eayh18cNizEK1lyFjw
                                                                                                                                                MD5:F2AA84D12FCC64349F96DF7EF5F6D063
                                                                                                                                                SHA1:EDDF2F6D54CB86B4251BE168080F5E4ACD4ACC0A
                                                                                                                                                SHA-256:1A4EF4224D094E512CF7A21EB7ADE8A36C0028AEBBDF292F34EA6FE752793CD0
                                                                                                                                                SHA-512:E6ACE721D6D570DB247774D0D78E1F8226A1977A7E1F3CE892E58DCA6556EA7324C42507DE9D3BA8E7E55CA22D7329F2F91E93B4C735FD0C63FB80B319AB26E8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}._..$........#...#......$..B........... ....@k..........................%.......%...@... ......................P".Y....P$.......$...............$.x.....$.L...........................L.!.....................(S$..............................text...............................`..`.data........ ....... ..............@.`..rdata..4....0.......0..............@.`@/4............!.......!.............@.0@.bss.....A....".......................`..edata..Y....P".......!.............@.0@.idata.......P$.......#.............@.0..CRT....,....p$.......#.............@.0..tls..........$.......#.............@.0..rsrc.........$.......$.............@.0..reloc..L.....$.......$.............@.0B........................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libcurl.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1152120
                                                                                                                                                Entropy (8bit):6.718131954608567
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:tTZKRJUbe2HjVjy9ZYSpFRrhifOgCtH30nPpbFTBT44A900TE:tKUbibtYTmE
                                                                                                                                                MD5:5E4D6CE410E2C156C293162CEF078FCA
                                                                                                                                                SHA1:19E8F2046683A71CDAF907120CE4C95F5339FAF3
                                                                                                                                                SHA-256:6E158F098213773EE2AB91C1F02AB39FBE2896947C9DFCF762AEE10662A8BCD8
                                                                                                                                                SHA-512:076824CC390A7EDE124F6ACBBF407ED7CAED0CF15E5B827F0B622FC93B851EAAA3F8A1D6F2F701CCB2078B7B8A28D2383DE7B71DE6F560B628049394DFC29EA9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wq._...........#...#.....l...............0....Dk.................................]....@... .........................-.......\A......................x.......`z..................................................T...x............................text...H........................... .P`.data...|....0......................@.0..rdata.......P.......0..............@.`@.eh_framx...........................@.0@.bss..................................`..edata..-...........................@.0@.idata..\A.......B..................@.0..CRT....,....`......................@.0..tls.........p......................@.0..rsrc...............................@.0..reloc..`z.......|..................@.0B........................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libdrive.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):7628296
                                                                                                                                                Entropy (8bit):6.883554064061235
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:Qk0qazYwucW8W7TVxywq66puiA9yRUY+pcAWTBZQNF27Fhp8HcKP3Par9+U0Hqgr:6cR8W7Js66EiA9wb+ptWTBDd83arqXvT
                                                                                                                                                MD5:1406431ED0927C24BC87045547CB7892
                                                                                                                                                SHA1:68E0710011EA9948A7A72F5BBAC3A2732953F4A2
                                                                                                                                                SHA-256:2A2B4CD5722F251C56AE5B7AC7671BB423B229EE30089E8723BD942AED0BF36E
                                                                                                                                                SHA-512:3BB4EEAF6B1181A68D9BA2351CA3212FE99D49AF8D99AB7DD3E1DCF0BCFAC6CAA9DE1828644127CEA694CD66CF862EB339C705FE56A378EA625F88775961F5F8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............................9.........E.......E.......E.............u.................0.....................~.............Rich............................PE..L....4.f...........!...(..S..X .......G.......S...............................t......kt...@...........................o.P....o.P.... q. ............<t..*...0q.df..pkh.8....................kh......jh.@.............S..............................text...].S.......S................. ..`.rdata..p.....S.......S.............@..@.data....N....o.......o.............@....rsrc... .... q.......p.............@..@.reloc..df...0q..h....p.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libexpat.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):130560
                                                                                                                                                Entropy (8bit):6.525744169865501
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:szm4GEVEQHTi806bFkC9rE2HfJUUqJacGjO2VOcOcCIhZ1nd4skksS:t4GEmR4kC9rRfah32VXOrIxnd4skksS
                                                                                                                                                MD5:8B650E64CA112A000F95EB16D698E151
                                                                                                                                                SHA1:7B6533950068EEB9AA96EBAB55E524C48732B70C
                                                                                                                                                SHA-256:CD4F37C1C978F6C7B38AE44B25F0C1DBE40F1B6CF626A08947D5808D7E34A086
                                                                                                                                                SHA-512:E3D9C1C0E21631697FA7BCA5A76467647863430283D855A860A16F87EE9273A1BC37B9A6E5FA16E1A9ED47058738603BA12DC7276278799D1B657AA504597701
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%P..K...K...K.......K.......K.......K...J...K.......K.......K.......K.Rich..K.........................PE..L...x.ZS...........!.........t.......X.......................................@............@.........................P.......<...(............................ ...................................... ...@............................................text.............................. ..`.rdata...K.......L..................@..@.data...............................@....rsrc...............................@..@.reloc..B.... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libgccfree.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):25517
                                                                                                                                                Entropy (8bit):4.3572222098449656
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:7hCsprmNmCkqgiX2iXj9hl7W+oMCX4mckscq99DQVG6LIz9CPZge7JW:7hP8m6gimiz7lMVcsqbQ3E
                                                                                                                                                MD5:C9DD571AC7754198121FED48C4710083
                                                                                                                                                SHA1:39938C77FE62F9EE1E85CBFDF52BA575422C16B6
                                                                                                                                                SHA-256:04FCAA20ECF50FCFC9CAFA62618281BFDE9252DE6E93284B7A5E7D30CCE52736
                                                                                                                                                SHA-512:6DC6AF1DEBCF88B9DD29906E48ADDBCA3270C539F3EF083A243892065C4E5E5AEE64E02212A4095B9224EA4FF12746D9D009B19733C207F78869A2AE8B82365C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*C.T.6.........!......... ......`........ .....c................................j......... ......................`..I....p.......................................................................................p..\............................text...$...........................`.P`.data........ ......................@.0..rdata..$....0......................@.0@/4......T....@......................@.0@.bss....X....P........................0..edata..I....`......................@.0@.idata.......p......................@.0..CRT................................@.0..tls.... ............ ..............@.0..reloc..............."..............@.0B/14..................$..............@..B/29..................&..............@..B/41..................2..............@..B/55..................4..............@..B................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libglog.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):139776
                                                                                                                                                Entropy (8bit):4.254172171888564
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:MYwQ57c+V9B0+Fx8qC0iULvxogeztsYLwyD5UUN6:DPc+Vj8q7ajGYLwyD76
                                                                                                                                                MD5:DCDA1583D25968DA25B1D1BF91169680
                                                                                                                                                SHA1:10681C51922CFD06A088C6A6C75CD186F9C8D9D1
                                                                                                                                                SHA-256:84A73BC173A30B2D174A66637BD075BD2C01E48E4FD97ED032DCAFB2C8C0DEA3
                                                                                                                                                SHA-512:3DF130F1A7A82F8401F7E7EC9D56B65F453ECD4CC525FE4AA196E090356951FC00FDCF9A99E776B2CDE2B3CA9276AF7DB270BB2DB4FF1B6CF3F63B648F7DCA76
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BU]..U]..U]..\% .G]..0;..W]....t.T]...5..F]...5.._]...5..V]...5..P]..U]...]...4..P]...4..T]...4L.T]...4..T]..RichU]..................PE..L.....8d...........!.........r......3........................................p............@.............................T"...........@.......................P..P...0...p...............................@............................................text............................... ..`.rdata...W.......X..................@..@.data........0......................@....rsrc........@......................@..@.reloc..P....P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libpng14-14.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):998429
                                                                                                                                                Entropy (8bit):6.238566383831095
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:Rhzee3cQ++DkVxP1KiGSryMkZmwHVvSew+1W6:vcQ++DklGyyBZLHb
                                                                                                                                                MD5:4179DFF59DD375B2967E9D415F6A99E5
                                                                                                                                                SHA1:05C52C5AE5754163E05B99680ECEB1D1CFAC5F85
                                                                                                                                                SHA-256:54A16E0AD2446BF981D84ED4A0634305C2D233757C495E1C9149921EA768D1FA
                                                                                                                                                SHA-512:DD131F1F756096C3FBFF400FDC142A10CCCC13BAD597834C94373E94D12660B1AC1933D9380F2E1154D1B78415CFBE103FD99DCEC2484A065982E7A63872C648
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.:b.z.........!...............................a......................... ......9......... .............................................................. ...............................N......................H................................text...............................`.P`.data...H...........................@.0..rdata...7... ...8..................@.`@/4......dU...`...V...@..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc....... ......................@.0B/14.....0....0......................@.@B/29.....~....@......................@..B/41......=...`...>..................@..B/55......\.......^..................@..B/67.....8............v..............@.0B/80.....[$.......&...x..

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libssl-1_1.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):514184
                                                                                                                                                Entropy (8bit):6.176352008861642
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:tC/fhNxnzrGlXFOc3xlHPs9hAxRg79eK3yeHqJVKlD9ou1UYaZB:tC/fhNxnzrGlXFOc3/HqhAxRgZeKieHK
                                                                                                                                                MD5:55694C901F906B6234A0B89A27F0F508
                                                                                                                                                SHA1:5BA83E0BAC11F952C05B85EF731B8AA3C2B1CC2F
                                                                                                                                                SHA-256:A384DEB5F6C8517852B0FA4832A373C37881855FAF1FFCE5B7B49EA866371393
                                                                                                                                                SHA-512:BF37592206FCEBB6A2BDEC9B57377456B0DFD56678C51C3D6F81F06F103546966A3F569390522A48917BD461DFA3404D3CCE870D0DB9E98A89C98D4C9653A276
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}._...........#...#...........................j.........................@......(.....@... ......................@..3@......L>......................x........?...................................................................................text...............................`.P`.data...D,..........................@.`..rdata..............................@.`@/4........... ......................@.0@.bss....p....0........................`..edata..3@...@...B..................@.0@.idata..L>.......@...B..............@.0..CRT....,...........................@.0..tls................................@.0..rsrc...............................@.0..reloc...?.......@..................@.0B........................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\libxml2-2.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3663565
                                                                                                                                                Entropy (8bit):6.344864033991189
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:5TzXFjljaTzvYxVZyrZ424cozjjc7g1zncaDAAy:5TzXnjaQfZu
                                                                                                                                                MD5:72B58BE0B56AA0F7BBFDFDDD2554B06F
                                                                                                                                                SHA1:C4519063EE6CBBB8FEB6C846949B1C5C81DA26BA
                                                                                                                                                SHA-256:F52724AE696B5C9E2586FD41047E6AC56541EFDFC157A33BA20AD5826234BF53
                                                                                                                                                SHA-512:640B747EBE5EFA39EC05558A75B418BF1C60DE9F503698B2E8A68AFB5BFB2DC890943D13BFA3CD6366C7F9D7E293C9AA9B783C00E313AA27F6E15065937628C1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M.l5........!...8.&...................@.....p.........................@6.......8....... .........................V.......T....................................................................................................................text...X%.......&..................`.P`.data...`....@.......,..............@.`..rdata..`z...P...|...8..............@.`@/4..................................@.0@.bss....|.............................@..edata..V...........................@.0@.idata..T............z..............@.0..CRT................................@.0..tls.... ...........................@.0..reloc..............................@.0B/14.....`.............................@B/29....................................B/45.....[..............................B/57.......... &.......%................B/71......(....&..*....&................B/83......@....(..B...0(.

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\license_En.txt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (948), with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):9484
                                                                                                                                                Entropy (8bit):3.534564528446219
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:eh+h/WtueQE3iAId2fHU2TPVa1l3zz0bTcAeVfQlmhdg:PAueQmiAId2fTPKtn03Qjhdg
                                                                                                                                                MD5:707CBBB07CC3D4A379391A04A0C8E477
                                                                                                                                                SHA1:35DEC34BD8189CDC1640E38413FB312936148242
                                                                                                                                                SHA-256:EDB62536C5C814B5C66977E8CD08316F4596F6C5ACC11C195A697831ED7F42A2
                                                                                                                                                SHA-512:EAD93BDF25F806CF8A9630E1728A1D87917BC071CBC27131546619FDA45562684C658CA4D1B693D5B528C98915995D7B43AF6909C39CFB23E7D9AD8414720DFE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.. . . . . . . . . . . . . . . . .I.s.o.o. .B.a.c.k.u.p. .E.n.d. .U.s.e.r. .L.i.c.e.n.s.e. .A.g.r.e.e.m.e.n.t.........N.O.T.I.C.E. .T.O. .U.S.E.R.S.:. .C.A.R.E.F.U.L.L.Y. .R.E.A.D. .T.H.E. .F.O.L.L.O.W.I.N.G. .L.E.G.A.L. .A.G.R.E.E.M.E.N.T... .U.S.E. .O.F. .T.H.E. .S.O.F.T.W.A.R.E. .P.R.O.V.I.D.E.D. .W.I.T.H. .T.H.I.S. .A.G.R.E.E.M.E.N.T. .(.T.H.E. .".S.O.F.T.W.A.R.E.".). .C.O.N.S.T.I.T.U.T.E.S. .Y.O.U.R. .A.C.C.E.P.T.A.N.C.E. .O.F. .T.H.E.S.E. .T.E.R.M.S... .I.F. .Y.O.U. .D.O. .N.O.T. .A.G.R.E.E. .T.O. .T.H.E. .T.E.R.M.S. .O.F. .T.H.I.S. .A.G.R.E.E.M.E.N.T.,. .D.O. .N.O.T. .I.N.S.T.A.L.L. .A.N.D./.O.R. .U.S.E. .T.H.I.S. .S.O.F.T.W.A.R.E... .U.S.E.R.'.S. .U.S.E. .O.F. .T.H.I.S. .S.O.F.T.W.A.R.E. .I.S. .C.O.N.D.I.T.I.O.N.E.D. .U.P.O.N. .C.O.M.P.L.I.A.N.C.E. .B.Y. .U.S.E.R. .W.I.T.H. .T.H.E. .T.E.R.M.S. .O.F. .T.H.I.S. .A.G.R.E.E.M.E.N.T...........1... .L.I.C.E.N.S.E. .G.R.A.N.T... .I.s.o.o. .T.e.c.h.n.o.l.o.g.y. .C.o...,. .L.t.d... .g.r.a.n.t.s. .y.o.u. .a. .l.i.c.e.n.s.e. .t.o. .u.s.e.

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):450024
                                                                                                                                                Entropy (8bit):6.673992339875127
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_1.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):29160
                                                                                                                                                Entropy (8bit):6.865752122056947
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:ksmpXUJuJv+VWcn53WeZwyRgAQpBj0HRN750QHRN7u7ll6JpIm4:aUUJvSRhqW5082
                                                                                                                                                MD5:BAEB5294985628E64660CBC1EB8A5C92
                                                                                                                                                SHA1:A69E5CC6A51FE90309664A0BF4D05A70956041FD
                                                                                                                                                SHA-256:6527B9B5A1B7D08B537375DADA65BC79F6B6A9BCECA55BC28F44EADA20E4CE8D
                                                                                                                                                SHA-512:B234B03DBE25ED4265C9F08E9EFBB9D94A1077142BC6780162F6B1DF547C9DFC37A7342F70E8EC55C7C3B97F73CE819E979BD13F3B43C311DF4555150D53DE29
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........4XA......=.........................................Q..........Rich...........PE..L.....0].........."!.........................0...............................p......`.....@A.........................)..J....@..x....P...............0...A...`..p...p...8...............................@............@...............................text...*........................... ..`.data...H....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..p....`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_2.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):173544
                                                                                                                                                Entropy (8bit):6.8651765192315075
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:FMZBzhr8dqXk7Bto76vriyFiE966jcdZ5EyYyG:WZBziFto76pFiE96skDNG
                                                                                                                                                MD5:B31CACCCD4D40BBAD92B7248D30FD7EA
                                                                                                                                                SHA1:5ABB563D6B5839456D061EB567508D852BA8FF7D
                                                                                                                                                SHA-256:71B8F5875BD4D29417433FA695FC4500284225A0A7C894D5C5E60FC20C56E3BF
                                                                                                                                                SHA-512:1E7DECF8903F67DCF755AB6EA20DB2F7C15CEFFE840B742E7C5C642C13DA5EE9DE38CE657BF456A0B6B46CE3EA2A88CD1AFD9AE3EA57078A0CEB254B1EEC8335
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..X...X...X.?t....X......X..\...X..[...X...Y...X..Y...X..]...X..X...X......X..Z...X.Rich..X.................PE..L.....0].........."!.....(...<...............@............................................@A.........................0..@....Q.......`...............d...A...p..(....\..8............................\..@............P...............................text...@&.......(.................. ..`.data... ....@.......,..............@....idata.......P.......4..............@..@.rsrc........`.......B..............@..@.reloc..(....p.......F..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_atomic_wait.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):52104
                                                                                                                                                Entropy (8bit):5.1488364199396335
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:ZWlTFwTSloNYcSNXR5cHDIABta/FWFvug0yiT3UN9imfI/NVW0jdT40Fzenw3GDx:GVT9kNWNLTXwwWDpQJs10cM8dAgT7
                                                                                                                                                MD5:FFB8C73E6E3769D5D8715E694707C792
                                                                                                                                                SHA1:F7D63FA41C34D7B75CD70D72E317DB148F3D50CA
                                                                                                                                                SHA-256:1DD7D3417FFFC321A67AAE2CA7E89A7D75203F8A3586CD829C56766F313F7931
                                                                                                                                                SHA-512:61E83F71A388FD1176665225CC84C32FAC40663376629ADBE9B47CD9E69DDADC43FEC021B07062585AF80811E8F3E0479314B2277E6CB8617645FD304FAE88AB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Uz.;).;).;)*.:(.;)...).;)..?(.;)..8(.;).:)..;)..:(.;)..>(.;)..;(.;)...).;)..9(.;)Rich.;)........PE..L...J|.a.........."!.....H..........PC.......`............................... ......,@....@A.........................Q..D...............0................#......x.......8...........................0...@............................................text....F.......H.................. ..`.data........`...B...L..............@....idata..............................@..@.rsrc...0...........................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_codecvt_ids.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):18816
                                                                                                                                                Entropy (8bit):6.421430337596372
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:5DSdV3lIjIjP2dhWiOEWs/KLHRN7kxjlGsgl/Z:5c32jmdmAT7/Z
                                                                                                                                                MD5:EF6C5EEB8B36D941E6991E6981CDB88A
                                                                                                                                                SHA1:E21989951B745B290F143DD63F94BD4399A74284
                                                                                                                                                SHA-256:3859B4A5A5C0A30CEE15C188F678E09D040541C221999D926955B49E8779E675
                                                                                                                                                SHA-512:12CB0C4E4DE73600E262B6B6D0448FB050BD4B673D86265B4033B253EA3864DDA4F004F6344AAE5BED7A15D5717531F7B18374E47FF4258E027EE7B896F6F406
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Mt.T.............e.......mv.............[`......[`......[`......[`......[`......[`......[`......Rich....................PE..L...J|.a.........."!................P........0...............................p.......)....@A.........................!../...l@..P....P..0............&...#...`..H...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..H....`.......$..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\pthreadGC2.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):119888
                                                                                                                                                Entropy (8bit):5.695966568112649
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:8S+qy+D0wdemoU13StS8WVChdiH/pViXJN7fJ/Vs0TReDPD:R+5c0nmJyS8W+iH/p+JNDXs0TRef
                                                                                                                                                MD5:72C1FF7F3C7474850B11FC962EE1620C
                                                                                                                                                SHA1:B94F73A1CE848D18B38274C96E863DF0636F48A7
                                                                                                                                                SHA-256:3B159DA9DAD9AFD4BD28B5B1A53DC502A2487068055ED8C30136A76CD6924890
                                                                                                                                                SHA-512:1ED4B3C34DD0033EC2AA05BDACAA45041D9CD5880FDB5530CA033308AB349C09D4811BB276BBDF51A3040B7A337F9A5D33796924550962A56058203799C5BD53
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......O.f..K......!................X.............Hb.........................P......m......... ......................@..U....P.......... .......................P............................p......................$Q...............................text...............................`.0`.data...0...........................@.0..rdata..h...........................@.0@/4...... ".......$..................@.0@.bss.........0........................@..edata..U....@......................@.0@.idata.......P......................@.0..CRT.........`......................@.0..tls.... ....p......................@.0..rsrc... ...........................@.0..reloc..P...........................@.0B/14.................................@..B/29.................................@..B/45.................."..............@..B/61.....E........ ...&..............@..B/73..................F..

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\ucrtbase.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1193808
                                                                                                                                                Entropy (8bit):6.84018646398061
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:+2VtWvCtRv0Ny40T3aErFxtGf3CPR6hFYQQbxmcvIZPoy4xWh:RV+dubaErFxw3nQb3Wh
                                                                                                                                                MD5:6C2810F92A98551650CB268E68A12441
                                                                                                                                                SHA1:0086B73B79DA608BFB969D06D72B6CB9FED948F4
                                                                                                                                                SHA-256:656E7FE89E902F00E5115D23F69FFBD043D923277C5A21149F2C60E0ABBB4614
                                                                                                                                                SHA-512:D8ED5FC3C7CA60225F4965BD097B86EA197A111655E5974690F926900EC787A103B62431B113818B1F81F9A576CC970B1B8798D30D89FA4713ABDC13FFD291A3
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ke.Q...Q...Q...Xr..b...Q.......4l..P...4l..P...4l..?...4l......4l..:...4l..D...4l..P...4l..P...RichQ...........PE..L..................!................P........0...............................0............@A.........................M......pR.......p..................PC...... .......T...........................`...@............P..l............................text... ........................... ..`.data... ....0....... ..............@....idata.......P......................@..@.rsrc........p.......D..............@..@.reloc.. ............J..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\vccorlib140.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):270312
                                                                                                                                                Entropy (8bit):6.5939977682940984
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:UGRqOVlbqCDAqsfeP67SKJpxL0Me83g/2WAOgJ:UG0E48APlOWkAOgJ
                                                                                                                                                MD5:43BD447470FC404AAED0BC75A4FF1F5F
                                                                                                                                                SHA1:D057365C0C01CF81A1F30FEF5D470985CFB45D20
                                                                                                                                                SHA-256:70863045102274C9BF78BAA4D2774B334F92329567A3DD6C246E7876F6B851A3
                                                                                                                                                SHA-512:AF52EDB860541E4EA9824767F152197B42020CA62D85D4AE698CCEF23337D7410F7319C9EC220992A7849B2D6F58265E5A8B3F34C7EA26F849A565845E24701E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6...XJ..XJ..XJ...J..XJ..YK..XJ..]K..XJ..\K..XJ..[K..XJ@}.J..XJ..YJ..XJ..QK..XJ..XK..XJ...J..XJ..ZK..XJRich..XJ................PE..L.....0].........."!................p........ ............................... .......y....@A........................`....=..............................A.......T..0J..8...........................hJ..@............................................text...{........................... ..`.data....p... ...n..................@....idata..T............t..............@..@.rsrc...............................@..@.reloc...T.......V..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\vcruntime140.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):80880
                                                                                                                                                Entropy (8bit):6.920480786566406
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Programs\Network MPluginManager\zlib1.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):103950
                                                                                                                                                Entropy (8bit):6.616616906023165
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:jD8j24eGiv4dU/KW7H4lg6qcFiQ5Y9w8VAwQnToIfCIO5IOYWUZ2Qo49k:jGTEv4dqYg+epSXTBfgTYWUco9k
                                                                                                                                                MD5:13CD5AB2DA5A98F5F76AA6F987187461
                                                                                                                                                SHA1:DD2D54668258B989CC500C132D9A686BABE67FA5
                                                                                                                                                SHA-256:3310CA85F0CB26E07BB3D8E1168C49E572A7C50762FA8140768663A5DF9823E9
                                                                                                                                                SHA-512:C1C0C11B9804E6D25C8B1C74A09BFD3133255FE47AB9515CDE124EC73231205B11D0536A66FCCC9379DD84A33BB589CC78F867EF423FF30067363FDEE7D605CA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.M...........#...8.(...................@.....b......................... ................ .................................0....................................................................................................................text...8&.......(..................`.P`.data...\....@.......,..............@.0..rdata...K...P...L..................@.`@/4......t............z..............@.0@.bss..................................@..edata...............|..............@.0@.idata..0...........................@.0..CRT................................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bfve4qa.4da.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arwntn0c.mv2.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0bxoce5.cxv.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksynebg1.etj.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvtazs4x.yhz.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_raghmy3b.zpd.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):53
                                                                                                                                                Entropy (8bit):4.288662436874635
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:pLACpQXbJJFIAV/AN5APJovn:pLXQ98AV/WYY
                                                                                                                                                MD5:4A96BA701ADF1164224EAB410A2F8A38
                                                                                                                                                SHA1:736619BE1E267170AEB610B13452541DDB9B4601
                                                                                                                                                SHA-256:A4059274811C8D5EA5F3901E1FFC8B6CEAAF65569F21E8632F3EC66001226D55
                                                                                                                                                SHA-512:1C4258CCD01ADE243EE0F943A2C9A7BC46E02EA9ED1715E2ACE389ADDE4DCE49F177C2AE2F5A58A685C8BDE20B8CDE836889C2141C6EADCA86DBF51764F961F8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:cmd.exe /c powershell -ep bypass...\whoami.exe /all..

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5440
                                                                                                                                                Entropy (8bit):3.9326200590978297
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:DOFlt8dsm8pCeU23V8Bukvjwo4nB/+0X20IgqbFs7SogZoXHB/+0X20Igq8Ws7SI:At8f8pCnkvkvMDW0G0KbVHeW0G0KrH34
                                                                                                                                                MD5:EB5C1338E3372413FB3E6116F3747EC4
                                                                                                                                                SHA1:7A02F84EA19EF4DE0B92DC5B33CB8DE44705CE4D
                                                                                                                                                SHA-256:2873280E96907449929CA395E3F531763BEE79E12C23D0CB64B579B8C8AC46AE
                                                                                                                                                SHA-512:354BAD043E4FCA0D78DEA19BB646C306ED49C75A23299FE6857715FABAEB70F8BB59F4AB159A5D0490B72A814C2FCCD38E20539A39B1B73405F88C551626E052
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:...................................FL..................F. .. ......{4.........z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....>.P................t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HLY,C..............................A.p.p.D.a.t.a...B.V.1.....LYRC..Roaming.@......FW.HLYRC............................*.R.o.a.m.i.n.g.....\.1.....LYPC..MICROS~1..D......FW.HLYPC..........................p.?.M.i.c.r.o.s.o.f.t.....V.1.....GX+w..Windows.@......FW.HLY,C..............................W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HLY,C....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HLY,C....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HLYfC..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HLYeC....Q...........

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ANSWA0EUVFUTOWB89JZF.temp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5440
                                                                                                                                                Entropy (8bit):3.9326200590978297
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:DOFlt8dsm8pCeU23V8Bukvjwo4nB/+0X20IgqbFs7SogZoXHB/+0X20Igq8Ws7SI:At8f8pCnkvkvMDW0G0KbVHeW0G0KrH34
                                                                                                                                                MD5:EB5C1338E3372413FB3E6116F3747EC4
                                                                                                                                                SHA1:7A02F84EA19EF4DE0B92DC5B33CB8DE44705CE4D
                                                                                                                                                SHA-256:2873280E96907449929CA395E3F531763BEE79E12C23D0CB64B579B8C8AC46AE
                                                                                                                                                SHA-512:354BAD043E4FCA0D78DEA19BB646C306ED49C75A23299FE6857715FABAEB70F8BB59F4AB159A5D0490B72A814C2FCCD38E20539A39B1B73405F88C551626E052
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:...................................FL..................F. .. ......{4.........z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....>.P................t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HLY,C..............................A.p.p.D.a.t.a...B.V.1.....LYRC..Roaming.@......FW.HLYRC............................*.R.o.a.m.i.n.g.....\.1.....LYPC..MICROS~1..D......FW.HLYPC..........................p.?.M.i.c.r.o.s.o.f.t.....V.1.....GX+w..Windows.@......FW.HLY,C..............................W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HLY,C....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HLY,C....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HLYfC..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HLYeC....Q...........

                                                                                                                                                C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files\7-Zip\7zG.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Network MPluginManager, Author: MeldaProduction, Keywords: Installer, Comments: This installer database contains the logic and data required to install Network MPluginManager., Template: Intel;1033, Revision Number: {29FF04AE-EC3E-484A-BDA9-9EFFD6567EDB}, Create Time/Date: Wed Aug 14 23:53:36 2024, Last Saved Time/Date: Wed Aug 14 23:53:36 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):14729216
                                                                                                                                                Entropy (8bit):7.99615401130609
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:393216:75Nm1Z7nsPSUTtXmAKARHAnm3z1GQOjKE7Uov:nm1ZTsaUTtZsE1GQOjvt
                                                                                                                                                MD5:4FFF2618D8F4F571BD0FED70DB95A6A2
                                                                                                                                                SHA1:0C2DC8DF585EF1FB3D963820D4B9A5C5A41AD0F6
                                                                                                                                                SHA-256:D7816BA6DDDA0C4E833D9BBA85864DE6B1BD289246FCEDAE84B8A6581DB3F5B6
                                                                                                                                                SHA-512:B05A8627F52943F5B1BEACFDBC45C49C9CC70C9A12E8A165B8587D6A7BAB18EDF1BB7D90231C404A4BE7C0C7B73856056A5D11D642EEFD83A8D2CF236636DFC8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Installer\5f925e.msi

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Network MPluginManager, Author: MeldaProduction, Keywords: Installer, Comments: This installer database contains the logic and data required to install Network MPluginManager., Template: Intel;1033, Revision Number: {29FF04AE-EC3E-484A-BDA9-9EFFD6567EDB}, Create Time/Date: Wed Aug 14 23:53:36 2024, Last Saved Time/Date: Wed Aug 14 23:53:36 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):14729216
                                                                                                                                                Entropy (8bit):7.99615401130609
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:393216:75Nm1Z7nsPSUTtXmAKARHAnm3z1GQOjKE7Uov:nm1ZTsaUTtZsE1GQOjvt
                                                                                                                                                MD5:4FFF2618D8F4F571BD0FED70DB95A6A2
                                                                                                                                                SHA1:0C2DC8DF585EF1FB3D963820D4B9A5C5A41AD0F6
                                                                                                                                                SHA-256:D7816BA6DDDA0C4E833D9BBA85864DE6B1BD289246FCEDAE84B8A6581DB3F5B6
                                                                                                                                                SHA-512:B05A8627F52943F5B1BEACFDBC45C49C9CC70C9A12E8A165B8587D6A7BAB18EDF1BB7D90231C404A4BE7C0C7B73856056A5D11D642EEFD83A8D2CF236636DFC8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Installer\5f9260.msi

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Network MPluginManager, Author: MeldaProduction, Keywords: Installer, Comments: This installer database contains the logic and data required to install Network MPluginManager., Template: Intel;1033, Revision Number: {29FF04AE-EC3E-484A-BDA9-9EFFD6567EDB}, Create Time/Date: Wed Aug 14 23:53:36 2024, Last Saved Time/Date: Wed Aug 14 23:53:36 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):14729216
                                                                                                                                                Entropy (8bit):7.99615401130609
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:393216:75Nm1Z7nsPSUTtXmAKARHAnm3z1GQOjKE7Uov:nm1ZTsaUTtZsE1GQOjvt
                                                                                                                                                MD5:4FFF2618D8F4F571BD0FED70DB95A6A2
                                                                                                                                                SHA1:0C2DC8DF585EF1FB3D963820D4B9A5C5A41AD0F6
                                                                                                                                                SHA-256:D7816BA6DDDA0C4E833D9BBA85864DE6B1BD289246FCEDAE84B8A6581DB3F5B6
                                                                                                                                                SHA-512:B05A8627F52943F5B1BEACFDBC45C49C9CC70C9A12E8A165B8587D6A7BAB18EDF1BB7D90231C404A4BE7C0C7B73856056A5D11D642EEFD83A8D2CF236636DFC8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Installer\MSI9665.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):30025
                                                                                                                                                Entropy (8bit):5.649704397214372
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:x3b2fLDDPAf96baeg+5y+Bl+ZRpHAf/qe9NT:ZSTraeA8l+UHT
                                                                                                                                                MD5:7EBEAE39DEE46E546F3D0A9A8411DEFF
                                                                                                                                                SHA1:DAF98B92C0D9CF754357B0B3DE090DCBF738A226
                                                                                                                                                SHA-256:D63D45C23A265C36011915A1C8428A4B1C756B1F9EF70AEF18AD9D7893D2E176
                                                                                                                                                SHA-512:5BB71F65A01D3B5ED810A6FE22484147251B04598399B9FD8FE9BE10E6A056A9E29F25CB30D3F03F6508AC9BBAE1F6E071DD4B00131BBF640A6C0CC00988AEE8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:...@IXOS.@.....@P#LY.@.....@.....@.....@.....@.....@......&.{4A194FDC-5FC7-428C-83CA-BC4A750D530B}..Network MPluginManagerD.d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.@.....@.....@.....@........&.{29FF04AE-EC3E-484A-BDA9-9EFFD6567EDB}.....@.....@.....@.....@.......@.....@.....@.......@......Network MPluginManager......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@Q....@.....@.]....&.{A208D58F-C124-FBA8-5E62-D9F309A889F7}H.C:\Users\user\AppData\Local\Programs\Network MPluginManager\DGBCDX64.exe.@.......@.....@.....@......&.{817A92D5-8BF7-8BB6-8915-93C4929ABC9B}X.C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,1.exe.@.......@.....@.....@......&.{CB302EC1-B81E-4BB2-92BD-383C32ACD00C}X.C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,2.exe.@.......@.....@.....@......&.{3EE7E081-425D

                                                                                                                                                C:\Windows\Installer\SourceHash{4A194FDC-5FC7-428C-83CA-BC4A750D530B}

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20480
                                                                                                                                                Entropy (8bit):1.19453110597992
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:JSbX72FjfZXAlfLIlHmRpnh+7777777777777777777777777ZDHFeBN0p9Xx+Kq:J/UIYe20nh08F
                                                                                                                                                MD5:3E3FA504A1EFDD657259685DAF716744
                                                                                                                                                SHA1:24C4E6C690E5B996A2400449CE5654186EDC12D9
                                                                                                                                                SHA-256:C48796A8235546766EB7C0B7FF1085ED1158EFDAF4F1470768E53498B9A73BD5
                                                                                                                                                SHA-512:52AE3CD979AEB534F79EF7E1F868CA08A123A7FBF817C864AAC749DED4FB064A9B775A90657CA10005C6F4DAD73F4DD4CFCF4D873355C29ED29A89AA8D4D905C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20480
                                                                                                                                                Entropy (8bit):1.5886841338162965
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:h8Ph3uRc06WXi0wFT577EJyEJH0yGu0rS5yEJPrlyGu0rSIw0:8h31GwFTtG5H+rcprd
                                                                                                                                                MD5:DD01AAB67AE9CC8FBEBE111B8EC7B927
                                                                                                                                                SHA1:0F9E423A91EDBF13DE12B4D1EF021D0CC66A9EBC
                                                                                                                                                SHA-256:92277A9FD604C45DDD3F99D73570831C2142ABBA09BF4B1FB110B1A92FFB8E3E
                                                                                                                                                SHA-512:09D5356B23D639AA22412A85C1650CE19CB56A56E8B21B7B14B9A19657B168D9F56B434FDF255C3C89EC15A8B537CD241215C30E993E211EAAF4CA6BE18F7A82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF1EA527CFE639A4FA.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):32768
                                                                                                                                                Entropy (8bit):1.2681969341067876
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:govuvs4vFXiAZT5ey7EJyEJH0yGu0rS5yEJPrlyGu0rSIw0:hvC9ZTcyG5H+rcprd
                                                                                                                                                MD5:9BD225DE1B268FB99CB5DFB4C71B301E
                                                                                                                                                SHA1:BD9771857101456AFDA93040F38D09D41F3B6858
                                                                                                                                                SHA-256:CB7373D2EF11F51268024F49C65F8F1F7F1B1F24B21EFCB7ECC2C4B5993043E7
                                                                                                                                                SHA-512:CEF3E1A5E85E14B4A7D86638D0501A76CE9D2BD9976868E8E04C5AEC83959DE5D94A899C3B6090464736B1E24DDCC42D1D757263707129F33EEBD9D76AE4A408
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF3F9C7D1DA5072CF6.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20480
                                                                                                                                                Entropy (8bit):1.5886841338162965
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:h8Ph3uRc06WXi0wFT577EJyEJH0yGu0rS5yEJPrlyGu0rSIw0:8h31GwFTtG5H+rcprd
                                                                                                                                                MD5:DD01AAB67AE9CC8FBEBE111B8EC7B927
                                                                                                                                                SHA1:0F9E423A91EDBF13DE12B4D1EF021D0CC66A9EBC
                                                                                                                                                SHA-256:92277A9FD604C45DDD3F99D73570831C2142ABBA09BF4B1FB110B1A92FFB8E3E
                                                                                                                                                SHA-512:09D5356B23D639AA22412A85C1650CE19CB56A56E8B21B7B14B9A19657B168D9F56B434FDF255C3C89EC15A8B537CD241215C30E993E211EAAF4CA6BE18F7A82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF4373894EECD42FC3.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):69632
                                                                                                                                                Entropy (8bit):0.151719308396009
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:hH+nzuSRHOwV4GuSRripV0wV4GuSRripV7VKFE1hdRGwGODlrkgh+UFE1hdRWFEL:z0HLyGu0rSLyGu0rS5yEJPrhLEJyEJ1
                                                                                                                                                MD5:0087CEE12C7F39DEE06F26E99A183CC2
                                                                                                                                                SHA1:4C96575F07535B88826826346A9F159FF479085F
                                                                                                                                                SHA-256:51B9BE4ED06F6076C842323B3288A6454BB313D1D9124D3C857D848B821BB588
                                                                                                                                                SHA-512:34F0EB08495B6F8CDE6E96CD38E3D709A13932170E163FABEB4621E31E96CB737C630A99CA671822617CF56809156CC6EE88BBD6029DFB788BBC469222AA2278
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF69B1BBB13B50E0E4.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20480
                                                                                                                                                Entropy (8bit):1.5886841338162965
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:h8Ph3uRc06WXi0wFT577EJyEJH0yGu0rS5yEJPrlyGu0rSIw0:8h31GwFTtG5H+rcprd
                                                                                                                                                MD5:DD01AAB67AE9CC8FBEBE111B8EC7B927
                                                                                                                                                SHA1:0F9E423A91EDBF13DE12B4D1EF021D0CC66A9EBC
                                                                                                                                                SHA-256:92277A9FD604C45DDD3F99D73570831C2142ABBA09BF4B1FB110B1A92FFB8E3E
                                                                                                                                                SHA-512:09D5356B23D639AA22412A85C1650CE19CB56A56E8B21B7B14B9A19657B168D9F56B434FDF255C3C89EC15A8B537CD241215C30E993E211EAAF4CA6BE18F7A82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF70352A30D1C5B994.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF87CF483E6DA02B20.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF8CBC165542D2A308.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):32768
                                                                                                                                                Entropy (8bit):1.2681969341067876
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:govuvs4vFXiAZT5ey7EJyEJH0yGu0rS5yEJPrlyGu0rSIw0:hvC9ZTcyG5H+rcprd
                                                                                                                                                MD5:9BD225DE1B268FB99CB5DFB4C71B301E
                                                                                                                                                SHA1:BD9771857101456AFDA93040F38D09D41F3B6858
                                                                                                                                                SHA-256:CB7373D2EF11F51268024F49C65F8F1F7F1B1F24B21EFCB7ECC2C4B5993043E7
                                                                                                                                                SHA-512:CEF3E1A5E85E14B4A7D86638D0501A76CE9D2BD9976868E8E04C5AEC83959DE5D94A899C3B6090464736B1E24DDCC42D1D757263707129F33EEBD9D76AE4A408
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DF9FA0ADB470962148.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DFA5BB92E24269FE3F.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DFC39ED6EEB1200EA2.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):32768
                                                                                                                                                Entropy (8bit):1.2681969341067876
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:govuvs4vFXiAZT5ey7EJyEJH0yGu0rS5yEJPrlyGu0rSIw0:hvC9ZTcyG5H+rcprd
                                                                                                                                                MD5:9BD225DE1B268FB99CB5DFB4C71B301E
                                                                                                                                                SHA1:BD9771857101456AFDA93040F38D09D41F3B6858
                                                                                                                                                SHA-256:CB7373D2EF11F51268024F49C65F8F1F7F1B1F24B21EFCB7ECC2C4B5993043E7
                                                                                                                                                SHA-512:CEF3E1A5E85E14B4A7D86638D0501A76CE9D2BD9976868E8E04C5AEC83959DE5D94A899C3B6090464736B1E24DDCC42D1D757263707129F33EEBD9D76AE4A408
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DFD1EAF73F2BC975AF.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\Temp\~DFFB5D0CE104C656FA.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):32768
                                                                                                                                                Entropy (8bit):0.09302969341773204
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOeBN0pM5WGmdncu+K1Td7vWkYVky6lIt/:2F0i8n0itFzDHFeBN0p9Xx+KWOI1
                                                                                                                                                MD5:5D7EAB73066D4B2BA6D02E08268067CB
                                                                                                                                                SHA1:FDBFB550F11C461936CC0EE4D9A4EB009EE16AD5
                                                                                                                                                SHA-256:AA543598B583D2E602C997B34CA82B0055354DCA3838021656D0648958B1096B
                                                                                                                                                SHA-512:8C90D49B4B7127026D4DB9955C218CE9F5A004FB7959AC8E02BF4C7D9237B6997876A6A2867B0AA647639A1FE12D8A4BE70623A43F940F142153A436D9E54045
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                \Device\ConDrv

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with very long lines (445), with no line terminators, with escape sequences
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):445
                                                                                                                                                Entropy (8bit):3.741935310885888
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:tzgP8khjaMMQ6MMQ9MMQIzgMQIpP8MMQIjCkMMQIpPjMMQIpPo2MMQIpPW2z:tzgkkhjaMOM5MCgBM8CkMoM52MYz
                                                                                                                                                MD5:5F281123130642B649133B73C2B80C48
                                                                                                                                                SHA1:2DA808420C1D14B95F75F9E1C9292172CEAE35D9
                                                                                                                                                SHA-256:469B1CBCACE30340F19AF7CF73712FE2DC49661A417FAC59E1BE6325BE145E55
                                                                                                                                                SHA-512:F45831B6BD97E53F300174928F9889B00DB7322CA8D296EBCCE7EFD74476F162BBDE358AE4C1581F627A6F7F57865FEFB2297E639CB2DD6C0B60EE12D0FE5975
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.[93mw.[33m.[45m.[0m.[93mwh.[33m.[45m.[0m.[93mwho.[33m.[45m.[0m.[93mwhoa.[33m.[45m.[0m.[93mwhoam.[33m.[45m.[0m.[93m.\whoami.exe.[33m.[45m.[0m.[93m.\whoami.exei.[33m.[45m.[0m.[93m.\whoami.exe.[33m.[45m .[0m.[93m.\whoami.exe.[33m.[45m .[33m.[45m.[0m.[93m.\whoami.exe.[33m.[45m .[90m/.[33m.[45m.[0m.[93m.\whoami.exe.[33m.[45m .[33m/a.[33m.[45m.[0m.[93m.\whoami.exe.[33m.[45m .[33m/al.[33m.[45m.[0m.[93m.\whoami.exe.[33m.[45m .[33m/all.[33m.[45m.[0m

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
                                                                                                                                                Entropy (8bit):7.999990186348391
                                                                                                                                                TrID:
                                                                                                                                                • ZIP compressed archive (8000/1) 99.91%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
                                                                                                                                                File name:d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip
                                                                                                                                                File size:14'664'427 bytes
                                                                                                                                                MD5:2e68d1dbedf3e80f938a305ada936c8d
                                                                                                                                                SHA1:81cac25a0e566d7741961dd0f9c93bdd16c81e88
                                                                                                                                                SHA256:8e36968274e6eff65a02d776953af1147ad72b682bb340457d119a5512365605
                                                                                                                                                SHA512:bda6adecb19839765e95ae01b7235cfd1b6083b1d3521436a6edf79258661435da7c17d4d311f80bf31bdeb48baf6d6bcfdc7d5030182eaa0b28a5e34e3a5c15
                                                                                                                                                SSDEEP:393216:Fq8HQQmAQtJBCkedH+XaOhDCfEGBzNItJh0RDV2:lLZUPe1+XkEGEtJh0RJ2
                                                                                                                                                TLSH:47E6330858603D89CBCDBDE30ED1CDF5195E1FBD6949CC385756C1CC8226F7A4A2EA2A
                                                                                                                                                File Content Preview:PK..3...c.vG.Y............D...d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi......AE...(%.bn..D..60......X...@....<..Hn........F.8._. .......)..........Z...~.,.5....A.t.:..@..Q.9M....r.x....r....\..D.e;_.Wz|...1...$".{.cl...\.p....D:

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:1c1c1e4e4ececedc

                                                                                                                                                Network Behavior

                                                                                                                                                No network behavior found

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:04:25:44
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                Imagebase:0x7ff604db0000
                                                                                                                                                File size:71'680 bytes
                                                                                                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:11
                                                                                                                                                Start time:04:26:18
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Program Files\7-Zip\7zG.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\" -spe -an -ai#7zMap15499:192:7zEvent20179
                                                                                                                                                Imagebase:0xd80000
                                                                                                                                                File size:700'416 bytes
                                                                                                                                                MD5 hash:50F289DF0C19484E970849AAC4E6F977
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:13
                                                                                                                                                Start time:04:26:28
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi"
                                                                                                                                                Imagebase:0x7ff6dc940000
                                                                                                                                                File size:69'632 bytes
                                                                                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:14
                                                                                                                                                Start time:04:26:30
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                Imagebase:0x7ff6dc940000
                                                                                                                                                File size:69'632 bytes
                                                                                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:15
                                                                                                                                                Start time:04:26:33
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                File size:621'968 bytes
                                                                                                                                                MD5 hash:E11235CB041E3AE98CB17D746B45CB66
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:18
                                                                                                                                                Start time:04:26:39
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1228
                                                                                                                                                Imagebase:0xd80000
                                                                                                                                                File size:483'680 bytes
                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:26
                                                                                                                                                Start time:04:27:11
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                Imagebase:0x7ff7582a0000
                                                                                                                                                File size:452'608 bytes
                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:27
                                                                                                                                                Start time:04:27:11
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6684c0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:28
                                                                                                                                                Start time:04:27:23
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c powershell -ep bypass
                                                                                                                                                Imagebase:0x7ff6fd780000
                                                                                                                                                File size:289'792 bytes
                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:29
                                                                                                                                                Start time:04:27:23
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:powershell -ep bypass
                                                                                                                                                Imagebase:0x7ff7582a0000
                                                                                                                                                File size:452'608 bytes
                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:30
                                                                                                                                                Start time:04:27:33
                                                                                                                                                Start date:12/10/2024
                                                                                                                                                Path:C:\Windows\System32\whoami.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\whoami.exe" /all
                                                                                                                                                Imagebase:0x7ff71dc60000
                                                                                                                                                File size:73'728 bytes
                                                                                                                                                MD5 hash:A4A6924F3EAF97981323703D38FD99C4
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:1.3%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                  Signature Coverage:1.5%
                                                                                                                                                  Total number of Nodes:270
                                                                                                                                                  Total number of Limit Nodes:5
                                                                                                                                                  execution_graph 13927 6bc01000 13938 6bc03216 13927->13938 13929 6bc0101b 13930 6bc0108f VirtualAlloc 13929->13930 13931 6bc010bd 13930->13931 13944 6bc0223b 13931->13944 13933 6bc010d8 13934 6bc010e1 VirtualProtect 13933->13934 13935 6bc01109 13934->13935 13936 6bc0114b VirtualProtect 13935->13936 13937 6bc01162 13935->13937 13936->13935 13939 6bc03221 13938->13939 13949 6bc0309f 13939->13949 13942 6bc03377 13942->13929 13943 6bc0330b 13953 6bc02f9b 13943->13953 13945 6bc0224d 13944->13945 13946 6bc0228c 13945->13946 13947 6bc022d9 LoadLibraryA 13945->13947 13948 6bc02362 GetProcAddress 13945->13948 13946->13933 13947->13945 13948->13945 13950 6bc030aa 13949->13950 13951 6bc030ba GetFileAttributesW 13950->13951 13952 6bc030ce 13951->13952 13952->13943 13954 6bc02fa6 13953->13954 13955 6bc03010 CreateFileW 13954->13955 13956 6bc0303a SetFilePointerEx 13955->13956 13959 6bc03036 13955->13959 13957 6bc03063 GlobalAlloc ReadFile 13956->13957 13956->13959 13958 6bc03094 CloseHandle 13957->13958 13957->13959 13958->13959 13959->13942 13960 6bc52471 13961 6bc5247f 13960->13961 13962 6bc5247a 13960->13962 13966 6bc52494 13961->13966 13974 6bc56fa6 13962->13974 13965 6bc5248d 13967 6bc524a0 13966->13967 13970 6bc524ee 13967->13970 13973 6bc5254b 13967->13973 13978 6bc522ff 13967->13978 13969 6bc52528 13971 6bc522ff __CRT_INIT@12 33 API calls 13969->13971 13969->13973 13970->13969 13972 6bc522ff __CRT_INIT@12 33 API calls 13970->13972 13970->13973 13971->13973 13972->13969 13973->13965 13975 6bc56fd6 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 13974->13975 13976 6bc56fc9 13974->13976 13977 6bc56fcd 13975->13977 13976->13975 13976->13977 13977->13961 13979 6bc5230b 13978->13979 13980 6bc5238d 13979->13980 13985 6bc52313 13979->13985 13981 6bc523f6 13980->13981 13982 6bc52391 13980->13982 13983 6bc52459 13981->13983 13990 6bc523fb 13981->13990 13984 6bc523b2 13982->13984 13989 6bc5231c 13982->13989 14055 6bc53bd2 _doexit 13982->14055 13986 6bc5245e __freeptd 13983->13986 13983->13989 13993 6bc523be __ioterm 13984->13993 14002 6bc523c8 13984->14002 13985->13989 14012 6bc52b5f __init_pointers __mtinitlocks 13985->14012 13986->13989 13989->13970 13990->13989 14060 6bc573f1 13990->14060 13991 6bc52328 13991->13989 13994 6bc52333 __RTC_Initialize GetCommandLineA ___crtGetEnvironmentStringsA 13991->13994 13996 6bc52bd5 __mtterm 3 API calls 13993->13996 14025 6bc56998 13994->14025 13996->14002 13998 6bc52352 13999 6bc52356 13998->13999 14000 6bc5235d __setargv 13998->14000 14042 6bc52bd5 13999->14042 14004 6bc52386 __ioterm 14000->14004 14005 6bc52366 __setenvp 14000->14005 14001 6bc52417 14001->13989 14006 6bc52435 14001->14006 14007 6bc5244d _free 14001->14007 14056 6bc523e1 14002->14056 14004->13999 14005->14004 14008 6bc5236f 14005->14008 14010 6bc5243d GetCurrentThreadId 14006->14010 14007->13989 14048 6bc53be1 14008->14048 14010->13989 14013 6bc52b6d 14012->14013 14015 6bc52b75 14012->14015 14014 6bc52bd5 __mtterm 3 API calls 14013->14014 14016 6bc52b72 14014->14016 14015->14013 14017 6bc52b8a 14015->14017 14016->13991 14018 6bc573f1 __calloc_crt 2 API calls 14017->14018 14019 6bc52b97 14018->14019 14020 6bc52bcc 14019->14020 14023 6bc52bb1 14019->14023 14021 6bc52bd5 __mtterm 3 API calls 14020->14021 14022 6bc52bd1 14021->14022 14022->13991 14024 6bc52bb9 GetCurrentThreadId 14023->14024 14024->13991 14026 6bc569a4 14025->14026 14066 6bc577eb 14026->14066 14028 6bc569ab 14029 6bc573f1 __calloc_crt 2 API calls 14028->14029 14031 6bc569bc 14029->14031 14030 6bc56a27 GetStartupInfoW 14037 6bc56b65 14030->14037 14039 6bc56a3c 14030->14039 14031->14030 14032 6bc569c7 14031->14032 14032->13998 14033 6bc56bae GetStdHandle 14033->14037 14034 6bc573f1 __calloc_crt 2 API calls 14034->14039 14035 6bc56bc0 GetFileType 14035->14037 14036 6bc56a8a 14036->14037 14040 6bc56abc GetFileType 14036->14040 14041 6bc56aca InitializeCriticalSectionAndSpinCount 14036->14041 14037->14032 14037->14033 14037->14035 14038 6bc56bed InitializeCriticalSectionAndSpinCount 14037->14038 14038->14037 14039->14034 14039->14036 14039->14037 14040->14036 14040->14041 14041->14036 14043 6bc52bdf 14042->14043 14044 6bc57851 14043->14044 14045 6bc57835 DeleteCriticalSection _free 14043->14045 14046 6bc5785d DeleteCriticalSection 14044->14046 14047 6bc57870 14044->14047 14045->14043 14046->14044 14047->13989 14049 6bc53c06 __initp_misc_cfltcvt_tab __initterm_e 14048->14049 14050 6bc53bed __IsNonwritableInCurrentImage 14048->14050 14052 6bc52376 14049->14052 14053 6bc53c20 14049->14053 14050->14049 14051 6bc53bfc 14050->14051 14051->14049 14052->13989 14052->14004 14053->14052 14054 6bc53c53 __IsNonwritableInCurrentImage 14053->14054 14054->14052 14055->13984 14057 6bc523e5 14056->14057 14058 6bc523f3 14056->14058 14057->14058 14059 6bc52bd5 __mtterm 3 API calls 14057->14059 14058->13989 14059->14058 14063 6bc573f8 14060->14063 14062 6bc57435 14062->14001 14063->14062 14064 6bc57416 Sleep 14063->14064 14074 6bc5985c 14063->14074 14065 6bc5742d 14064->14065 14065->14062 14065->14063 14067 6bc577fc __mtinitlocknum 14066->14067 14068 6bc5780f EnterCriticalSection 14066->14068 14067->14068 14069 6bc57807 14067->14069 14068->14028 14072 6bc53bb6 __FF_MSGBANNER __NMSG_WRITE 14069->14072 14073 6bc53bd1 14072->14073 14075 6bc59867 14074->14075 14076 6bc59892 RtlAllocateHeap 14075->14076 14077 6bc59873 14075->14077 14076->14075 14076->14077 14077->14063 14078 6248a2a0 14079 6248a3c8 14078->14079 14080 6248a2be 14078->14080 14082 6248a3d0 pthread_self 14079->14082 14111 62482750 14080->14111 14086 6248a32a _beginthreadex 14082->14086 14083 6248a2c5 14084 6248a3ac 14083->14084 14085 6248a2d1 malloc 14083->14085 14143 62481518 14084->14143 14085->14084 14087 6248a2f1 14085->14087 14088 6248a4ec 14086->14088 14089 6248a375 14086->14089 14087->14082 14087->14086 14091 6248a3ec 14087->14091 14095 62481518 10 API calls 14088->14095 14092 6248a379 sched_get_priority_min 14089->14092 14093 6248a38b ResumeThread 14089->14093 14091->14086 14092->14093 14096 6248a3f4 sched_get_priority_max 14092->14096 14097 6248a4f8 free 14095->14097 14096->14093 14098 6248a406 14096->14098 14097->14098 14099 6248a48f SetThreadPriority 14098->14099 14100 6248a47d 14098->14100 14101 6248a474 SetEvent 14098->14101 14104 6248a4a9 14099->14104 14100->14099 14102 6248a53d CreateEventA 14100->14102 14101->14100 14105 6248a570 CloseHandle 14102->14105 14106 6248a5d4 WaitForSingleObject 14102->14106 14103 6248a4c7 14103->14093 14107 6248a4dd SetEvent 14103->14107 14104->14093 14104->14103 14108 6248a58b CreateEventA 14104->14108 14105->14099 14106->14105 14107->14093 14109 6248a5f4 WaitForSingleObject 14108->14109 14110 6248a5c6 CloseHandle 14108->14110 14109->14110 14110->14103 14112 624827b9 14111->14112 14113 62482789 14111->14113 14114 6248291a 14112->14114 14117 624829ca 14112->14117 14119 62482924 14112->14119 14120 62482804 14112->14120 14115 6248279e SetEvent 14113->14115 14116 624827a7 14113->14116 14114->14083 14115->14116 14116->14112 14118 624828cc CreateEventA 14116->14118 14121 624829ec WaitForSingleObject 14117->14121 14118->14121 14122 62482903 CloseHandle 14118->14122 14123 6248281f 14119->14123 14125 62482932 CreateEventA 14119->14125 14120->14123 14124 62482816 SetEvent 14120->14124 14128 62482a0c 14121->14128 14122->14112 14122->14114 14126 624829ac calloc 14123->14126 14127 62482827 CreateEventA 14123->14127 14124->14123 14132 6248299d CloseHandle 14125->14132 14133 62482ae0 WaitForSingleObject 14125->14133 14126->14117 14131 62482a54 14126->14131 14127->14128 14130 624828be 14127->14130 14128->14131 14134 62482a4b SetEvent 14128->14134 14130->14083 14131->14133 14135 62482af8 CreateEventA 14131->14135 14138 62482ace SetEvent 14131->14138 14139 62482b70 CreateEventA 14131->14139 14140 62482b56 14131->14140 14132->14125 14133->14135 14134->14131 14136 62482b30 CloseHandle 14135->14136 14137 62482bb6 WaitForSingleObject 14135->14137 14136->14131 14137->14136 14138->14131 14141 62482bab CloseHandle 14139->14141 14142 62482bd6 WaitForSingleObject 14139->14142 14140->14131 14141->14140 14142->14141 14144 6248164c 14143->14144 14145 62481531 14143->14145 14146 6248159e 14145->14146 14147 62481595 SetEvent 14145->14147 14149 624815b4 14145->14149 14148 62481658 CreateEventA 14146->14148 14146->14149 14147->14146 14151 6248168c CloseHandle 14148->14151 14152 624816c0 WaitForSingleObject 14148->14152 14150 6248160f 14149->14150 14153 6248162a 14149->14153 14157 624816ec CreateEventA 14149->14157 14150->14153 14154 62481621 SetEvent 14150->14154 14151->14149 14152->14151 14155 6248163b 14153->14155 14156 62481632 CloseHandle 14153->14156 14154->14153 14155->14144 14160 62481643 CloseHandle 14155->14160 14156->14155 14158 62481734 WaitForSingleObject 14157->14158 14159 62481727 CloseHandle 14157->14159 14158->14159 14159->14150 14160->14144 14161 62484c50 14162 62484d30 pthread_key_create 14161->14162 14163 62484c67 GetSystemDirectoryA 14161->14163 14166 62484d6a 14162->14166 14167 62484d52 pthread_key_create 14162->14167 14164 62484db8 strncat LoadLibraryA 14163->14164 14165 62484c95 14163->14165 14170 62484df0 14164->14170 14168 62484cc0 14165->14168 14169 62484ca2 GetProcAddress 14165->14169 14166->14170 14171 62484d82 14166->14171 14167->14166 14173 62484cc8 GetProcAddress 14168->14173 14174 62484d8c 14168->14174 14169->14168 14171->14166 14180 62484a08 14171->14180 14175 62484cdf 14173->14175 14176 62484ce5 FreeLibrary 14173->14176 14177 62484cfd 14174->14177 14178 62484d9e FreeLibrary 14174->14178 14175->14176 14179 62484d14 14175->14179 14176->14177 14178->14177 14179->14177 14181 62484a18 pthread_key_delete 14180->14181 14182 62484a2a 14180->14182 14181->14182 14183 62484a33 pthread_key_delete 14182->14183 14184 62484a45 14182->14184 14183->14184 14185 62484aa2 14184->14185 14186 62484a8b SetEvent 14184->14186 14187 62484a94 14184->14187 14188 62484aac 14185->14188 14189 62484ab2 free 14185->14189 14186->14187 14187->14185 14190 62484b04 CreateEventA 14187->14190 14193 62484ad6 14188->14193 14194 62484af1 14188->14194 14196 62484b69 CreateEventA 14188->14196 14189->14185 14189->14188 14191 62484baf WaitForSingleObject 14190->14191 14192 62484b37 CloseHandle 14190->14192 14191->14192 14192->14185 14193->14194 14195 62484ae8 SetEvent 14193->14195 14194->14171 14195->14194 14197 62484ba4 CloseHandle 14196->14197 14198 62484bc7 WaitForSingleObject 14196->14198 14197->14193 14198->14197 14199 624859c4 pthread_getspecific 14200 624859e8 14199->14200 14203 624859db 14199->14203 14201 62482750 18 API calls 14200->14201 14202 624859ed 14201->14202 14202->14203 14204 624859f7 GetCurrentThreadId GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 14202->14204 14205 62485aa0 14204->14205 14206 62485a64 GetThreadPriority pthread_setspecific 14204->14206 14209 62482dc8 14205->14209 14206->14203 14210 62482e04 14209->14210 14219 62482e31 14209->14219 14211 62482e19 SetEvent 14210->14211 14212 62482e22 14210->14212 14211->14212 14213 62482ea8 CreateEventA 14212->14213 14212->14219 14215 62482f68 WaitForSingleObject 14213->14215 14216 62482ee0 CloseHandle 14213->14216 14214 62482e82 14217 62482e9d 14214->14217 14218 62482e94 SetEvent 14214->14218 14215->14216 14216->14219 14217->14203 14218->14217 14219->14214 14219->14217 14220 62482f20 CreateEventA 14219->14220 14221 62482f88 WaitForSingleObject 14220->14221 14222 62482f5b CloseHandle 14220->14222 14221->14222 14222->14214

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 62482750 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 0 62482750-62482787 1 624827b9-624827c1 0->1 2 62482789-6248279c 0->2 3 6248291a-6248291e 1->3 4 624827c7-624827d1 1->4 5 6248279e-624827a6 SetEvent 2->5 6 624827a7-624827b3 2->6 7 624829dc 4->7 8 624827d7-624827fe 4->8 5->6 6->1 9 624828cc-624828fd CreateEventA 6->9 12 624829ec-62482a03 WaitForSingleObject 7->12 10 62482924-6248292c 8->10 11 62482804-62482814 8->11 9->12 13 62482903-62482914 CloseHandle 9->13 14 6248281f-62482821 10->14 16 62482932-62482944 10->16 11->14 15 62482816-6248281e SetEvent 11->15 19 62482a0c-62482a36 12->19 13->3 13->4 17 624829ac-624829c4 calloc 14->17 18 62482827-624828b8 CreateEventA 14->18 15->14 20 62482958-62482997 CreateEventA 16->20 21 62482946-6248294c 16->21 22 624829ca-624829d4 17->22 23 62482ad7-62482ad9 17->23 18->19 24 624828be-624828c9 18->24 25 62482a38-62482a49 19->25 26 62482a67-62482a95 19->26 27 6248299d-624829aa CloseHandle 20->27 28 62482ae0-62482af0 WaitForSingleObject 20->28 21->20 22->7 23->28 29 62482a4b-62482a53 SetEvent 25->29 30 62482a54-62482a61 25->30 31 62482a9b 26->31 32 62482b65-62482b6b 26->32 27->21 33 62482af8-62482b2a CreateEventA 28->33 29->30 30->26 30->33 34 62482a9e-62482ab6 31->34 32->34 35 62482b30-62482b39 CloseHandle 33->35 36 62482bb6-62482bd1 WaitForSingleObject 33->36 37 62482abc-62482acc 34->37 38 62482b40-62482b48 34->38 35->26 36->35 37->23 40 62482ace-62482ad6 SetEvent 37->40 38->23 39 62482b4a-62482b54 38->39 41 62482b70-62482ba9 CreateEventA 39->41 42 62482b56-62482b60 39->42 40->23 43 62482bab-62482bb4 CloseHandle 41->43 44 62482bd6-62482be9 WaitForSingleObject 41->44 42->37 43->42 44->43
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$Create
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 1287507382-1775419244
                                                                                                                                                  • Opcode ID: 424d46f3bfdd776bd2b9adb00e1368517de4c425544c4f8731a0a019556a48aa
                                                                                                                                                  • Instruction ID: 584c8828d86234b02c2051be1c2cc070bbf35f51a350ff41df1bb38564450644
                                                                                                                                                  • Opcode Fuzzy Hash: 424d46f3bfdd776bd2b9adb00e1368517de4c425544c4f8731a0a019556a48aa
                                                                                                                                                  • Instruction Fuzzy Hash: 1CC149B06157419FE704EF29C564B1BBBE1BF85718F008A2DE8A88B780DB79D545CF82
                                                                                                                                                  Function 6248A2A0 Relevance: 24.2, APIs: 16, Instructions: 229threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 62482750: SetEvent.KERNEL32 ref: 624827A1
                                                                                                                                                    • Part of subcall function 62482750: SetEvent.KERNEL32 ref: 62482819
                                                                                                                                                    • Part of subcall function 62482750: CreateEventA.KERNEL32 ref: 624828AB
                                                                                                                                                  • malloc.MSVCRT ref: 6248A2E2
                                                                                                                                                  • _beginthreadex.MSVCRT ref: 6248A361
                                                                                                                                                  • sched_get_priority_min.PTHREADGC2 ref: 6248A380
                                                                                                                                                  • ResumeThread.KERNEL32(?,00000000,00000000,00000000), ref: 6248A392
                                                                                                                                                  • pthread_self.PTHREADGC2 ref: 6248A3D4
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$CreateResumeThread_beginthreadexmallocpthread_selfsched_get_priority_min
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2799622174-0
                                                                                                                                                  • Opcode ID: 45dd0bba87b6086b20e6a48fffb0cf9a902ba85e061442d65b4db4e611e5d9a0
                                                                                                                                                  • Instruction ID: f41924078a323dfdf9ba3bfc2a1e81a84cdddc2bc0f36509bcb1b40e4f2c95af
                                                                                                                                                  • Opcode Fuzzy Hash: 45dd0bba87b6086b20e6a48fffb0cf9a902ba85e061442d65b4db4e611e5d9a0
                                                                                                                                                  • Instruction Fuzzy Hash: B6911CB0519711DFD7409F28C4A0B1BBBE0AF85718F51992DE8998B390DBB8D981CF93
                                                                                                                                                  Function 62484C50 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102libraryloaderstringCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryProcpthread_key_create$DirectoryFreeLoadSystemstrncat
                                                                                                                                                  • String ID: QueueUserAPCEx$QueueUserAPCEx_Init$\QUSEREX.DLL
                                                                                                                                                  • API String ID: 2212840258-2059956921
                                                                                                                                                  • Opcode ID: 527cc0d86fdd6c22cc6cdb3589f71905ef06e06c0e0e70491c401841aeb713d3
                                                                                                                                                  • Instruction ID: af5ec4c9b78618ccf54e551aee6fed366ce78101f36f0c1317368921c7ad4910
                                                                                                                                                  • Opcode Fuzzy Hash: 527cc0d86fdd6c22cc6cdb3589f71905ef06e06c0e0e70491c401841aeb713d3
                                                                                                                                                  • Instruction Fuzzy Hash: 16319270A693009ADB04AF38D5A0B9A7FE8AF5378CF01492DDD589B248E73DC584CF91
                                                                                                                                                  Function 6BC56998 Relevance: 15.2, APIs: 10, Instructions: 219COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 114 6bc56998-6bc569b7 call 6bc57510 call 6bc577eb call 6bc573f1 120 6bc569bc-6bc569c5 114->120 121 6bc569c7-6bc569dd @_EH4_CallFilterFunc@8 120->121 122 6bc569e2-6bc569e7 120->122 123 6bc56c37-6bc56c3c call 6bc57555 121->123 124 6bc569ed-6bc569f4 122->124 126 6bc56a27-6bc56a36 GetStartupInfoW 124->126 127 6bc569f6-6bc56a25 124->127 129 6bc56b65-6bc56b6b 126->129 130 6bc56a3c-6bc56a41 126->130 127->124 131 6bc56b71-6bc56b82 129->131 132 6bc56c29-6bc56c35 call 6bc56c3d 129->132 130->129 133 6bc56a47-6bc56a5e 130->133 134 6bc56b84-6bc56b87 131->134 135 6bc56b97-6bc56b9d 131->135 132->123 137 6bc56a65-6bc56a68 133->137 138 6bc56a60-6bc56a62 133->138 134->135 140 6bc56b89-6bc56b92 134->140 141 6bc56ba4-6bc56bab 135->141 142 6bc56b9f-6bc56ba2 135->142 139 6bc56a6b-6bc56a71 137->139 138->137 144 6bc56a93-6bc56a9b 139->144 145 6bc56a73-6bc56a84 call 6bc573f1 139->145 146 6bc56c23-6bc56c24 140->146 147 6bc56bae-6bc56bba GetStdHandle 141->147 142->147 149 6bc56a9e-6bc56aa0 144->149 156 6bc56b18-6bc56b1f 145->156 157 6bc56a8a-6bc56a90 145->157 146->129 150 6bc56c01-6bc56c17 147->150 151 6bc56bbc-6bc56bbe 147->151 149->129 154 6bc56aa6-6bc56aab 149->154 150->146 153 6bc56c19-6bc56c1c 150->153 151->150 155 6bc56bc0-6bc56bc9 GetFileType 151->155 153->146 158 6bc56b05-6bc56b16 154->158 159 6bc56aad-6bc56ab0 154->159 155->150 160 6bc56bcb-6bc56bd5 155->160 161 6bc56b25-6bc56b33 156->161 157->144 158->149 159->158 162 6bc56ab2-6bc56ab6 159->162 163 6bc56bd7-6bc56bdd 160->163 164 6bc56bdf-6bc56be2 160->164 167 6bc56b35-6bc56b57 161->167 168 6bc56b59-6bc56b60 161->168 162->158 169 6bc56ab8-6bc56aba 162->169 170 6bc56bea 163->170 165 6bc56be4-6bc56be8 164->165 166 6bc56bed-6bc56bff InitializeCriticalSectionAndSpinCount 164->166 165->170 166->146 167->161 168->139 171 6bc56abc-6bc56ac8 GetFileType 169->171 172 6bc56aca-6bc56aff InitializeCriticalSectionAndSpinCount 169->172 170->166 171->172 173 6bc56b02 171->173 172->173 173->158
                                                                                                                                                  APIs
                                                                                                                                                  • __lock.LIBCMT ref: 6BC569A6
                                                                                                                                                    • Part of subcall function 6BC577EB: __mtinitlocknum.LIBCMT ref: 6BC577FD
                                                                                                                                                    • Part of subcall function 6BC577EB: __amsg_exit.LIBCMT ref: 6BC57809
                                                                                                                                                    • Part of subcall function 6BC577EB: EnterCriticalSection.KERNEL32(?,?,6BC52951,0000000D,6BC6E288,00000008,6BC52A22,?,00000001,?,6BC52465,00000000,6BC6E248,00000008,6BC524EE,?), ref: 6BC57816
                                                                                                                                                  • __calloc_crt.LIBCMT ref: 6BC569B7
                                                                                                                                                    • Part of subcall function 6BC573F1: __calloc_impl.LIBCMT ref: 6BC57400
                                                                                                                                                    • Part of subcall function 6BC573F1: Sleep.KERNEL32(00000000), ref: 6BC57417
                                                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 6BC569D2
                                                                                                                                                  • GetStartupInfoW.KERNEL32(?,6BC6E518,00000064,6BC52352), ref: 6BC56A2B
                                                                                                                                                  • __calloc_crt.LIBCMT ref: 6BC56A76
                                                                                                                                                  • GetFileType.KERNEL32(00000001), ref: 6BC56ABD
                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 6BC56AF6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2673217650-0
                                                                                                                                                  • Opcode ID: 45f69d8856779d4830aad5d10d69cb541e3f7642f04d289458374d00c78d4c1b
                                                                                                                                                  • Instruction ID: 14cf275c9994f022c584a1039751910d04562c9c5a2bacdb0f4b653e534399fb
                                                                                                                                                  • Opcode Fuzzy Hash: 45f69d8856779d4830aad5d10d69cb541e3f7642f04d289458374d00c78d4c1b
                                                                                                                                                  • Instruction Fuzzy Hash: B081D472915A558FDB14CFA8C880599BBF0BF06724B1442BED4E5AB3C1E738D622CB18
                                                                                                                                                  Function 624859C4 Relevance: 12.1, APIs: 8, Instructions: 64threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                                                                                                                                    • Part of subcall function 62484FD8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FE5
                                                                                                                                                    • Part of subcall function 62484FD8: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FF1
                                                                                                                                                    • Part of subcall function 62484FD8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,62485041), ref: 62484FFE
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 62485A0C
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 62485A17
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 62485A1E
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 62485A25
                                                                                                                                                  • DuplicateHandle.KERNEL32 ref: 62485A54
                                                                                                                                                  • GetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 62485A6E
                                                                                                                                                  • pthread_setspecific.PTHREADGC2 ref: 62485A86
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$Thread$ErrorLastProcess$DuplicateHandlePriorityValuepthread_getspecificpthread_setspecific
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3801400185-0
                                                                                                                                                  • Opcode ID: f4c334d67835bea2d5980b50e658cf3f5c070f53a40f569ea48807404b259657
                                                                                                                                                  • Instruction ID: df89b729fd39c32366203f9e63d96e5a08ef551b968adb438e34e224658af10b
                                                                                                                                                  • Opcode Fuzzy Hash: f4c334d67835bea2d5980b50e658cf3f5c070f53a40f569ea48807404b259657
                                                                                                                                                  • Instruction Fuzzy Hash: 9C2118B09293018FD704EF39C494A1ABBE0BF85358F41886EE898CB305EB78D545CB92
                                                                                                                                                  Function 6BC02F9B Relevance: 7.6, APIs: 5, Instructions: 94fileCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • CreateFileW.KERNEL32(00049B88,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,?,6BC03377), ref: 6BC0302A
                                                                                                                                                  • SetFilePointerEx.KERNEL32(000000FF,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6BC03377,6BC0101B), ref: 6BC03052
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$CreatePointer
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2024441833-0
                                                                                                                                                  • Opcode ID: 3a1783de728371a5116d306911a429dc6a9b055882cffecaee98f67f931c2861
                                                                                                                                                  • Instruction ID: a6d68d600db46c5380ca5b745a5f91d2b476bfa65855a2a9132c1dc47f3c0165
                                                                                                                                                  • Opcode Fuzzy Hash: 3a1783de728371a5116d306911a429dc6a9b055882cffecaee98f67f931c2861
                                                                                                                                                  • Instruction Fuzzy Hash: 80310731D14209BFDF119FA4DC06AADBBB1FF08714F20406AF560B50A0EB365B50AB58
                                                                                                                                                  Function 6BC01000 Relevance: 4.6, APIs: 3, Instructions: 125memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 6BC0109E
                                                                                                                                                  • VirtualProtect.KERNEL32(00000000,?,00000002,?), ref: 6BC010FD
                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,?,?), ref: 6BC0115C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$Protect$Alloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2541858876-0
                                                                                                                                                  • Opcode ID: bd534aa6fe1edbb2655a245878cf30484205f58a80d0fc21d6796371870ec50e
                                                                                                                                                  • Instruction ID: b528926c4eb4de9199e5664f88f341ff40487a63b59b53795841ef9568c1a020
                                                                                                                                                  • Opcode Fuzzy Hash: bd534aa6fe1edbb2655a245878cf30484205f58a80d0fc21d6796371870ec50e
                                                                                                                                                  • Instruction Fuzzy Hash: C951C371D10218AFDF05DFE8D846AEDFBB5BF08319F10805AE514BA261EB3A5A51CF50
                                                                                                                                                  Function 6BC0223B Relevance: 3.1, APIs: 2, Instructions: 122libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 249 6bc0223b-6bc0227a call 6bc0216c call 6bc02132 call 6bc0214f call 6bc0196b 258 6bc0228c-6bc0228e 249->258 259 6bc0227c-6bc0228a 249->259 261 6bc0239e-6bc0239f 258->261 259->258 260 6bc02293-6bc022a6 259->260 262 6bc022b1-6bc022b8 260->262 263 6bc0238b-6bc0238f 262->263 264 6bc022be-6bc022d7 262->264 265 6bc02391-6bc02395 263->265 266 6bc02397 263->266 269 6bc022e2-6bc022e6 264->269 270 6bc022d9-6bc022df LoadLibraryA 264->270 267 6bc0239b 265->267 266->267 267->261 271 6bc022e8-6bc022ea 269->271 272 6bc022ef-6bc022f9 269->272 270->269 271->261 273 6bc02308-6bc02311 272->273 274 6bc022fb-6bc02306 272->274 275 6bc02314-6bc02320 273->275 274->275 276 6bc02334-6bc0233a 275->276 277 6bc02386 276->277 278 6bc0233c-6bc0234a 276->278 277->262 280 6bc02362-6bc02379 GetProcAddress 278->280 281 6bc0234c-6bc02360 278->281 282 6bc0237c-6bc02384 280->282 281->282 282->276
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 6BC022DC
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 6BC02376
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2574300362-0
                                                                                                                                                  • Opcode ID: 13e88093eca7a74e6f7e2843363ae382f0f6a81123a7ee47207706172e7ec647
                                                                                                                                                  • Instruction ID: 210d429543bdc4100a9a172c849ac32144d9f36c1300e2a07faa9b79e327934d
                                                                                                                                                  • Opcode Fuzzy Hash: 13e88093eca7a74e6f7e2843363ae382f0f6a81123a7ee47207706172e7ec647
                                                                                                                                                  • Instruction Fuzzy Hash: 7351B670D1520ADFDB04CF98C8A4BADBBB5FF09319F108099E911AB391DB799A81CF54
                                                                                                                                                  Function 6BC0309F Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 285 6bc0309f-6bc030cc call 6bc02007 call 6bc02473 GetFileAttributesW 290 6bc030ce-6bc030d4 285->290 291 6bc030df 285->291 290->291 292 6bc030d6-6bc030dd 290->292 293 6bc030e3-6bc030e7 291->293 292->293
                                                                                                                                                  APIs
                                                                                                                                                  • GetFileAttributesW.KERNEL32(6BC0330B,?,?,6BC0330B,?), ref: 6BC030C2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                  • Opcode ID: 7b969595f91f97c2b16cbd7c2b7b989fddf638fc283f809ae5b1398a80b5b5a2
                                                                                                                                                  • Instruction ID: 55bd94592df5a24273292d84b8b2ffad2cfca32b244e887505aa72c3a693b1ea
                                                                                                                                                  • Opcode Fuzzy Hash: 7b969595f91f97c2b16cbd7c2b7b989fddf638fc283f809ae5b1398a80b5b5a2
                                                                                                                                                  • Instruction Fuzzy Hash: 3AF03071D1520DEFEF00EFA4D846A9CFBB0FB0431CF108595D42166191EB7A5B819B44

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 624868CC Relevance: 54.9, APIs: 29, Strings: 2, Instructions: 685synchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ObjectSingleWait$Event_ftime$pthread_self$pthread_equal
                                                                                                                                                  • String ID: 00Ib$00Ib
                                                                                                                                                  • API String ID: 2663759302-3143399735
                                                                                                                                                  • Opcode ID: c0910315902004cc1d1795d6d346b6d1b0f939e47f483289408a62bb8b7ed586
                                                                                                                                                  • Instruction ID: 5fab8a428c89eb576d4e3262919311c36b493f54a953d2e4ed31592648cdad18
                                                                                                                                                  • Opcode Fuzzy Hash: c0910315902004cc1d1795d6d346b6d1b0f939e47f483289408a62bb8b7ed586
                                                                                                                                                  • Instruction Fuzzy Hash: A55270716297128FD744DF39C5A0B1AB7E1BF85728F108A2DE898CB395D738D941CB82
                                                                                                                                                  Function 6BC5BF70 Relevance: 21.5, APIs: 14, Instructions: 537COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: aad7b7ec3e1c3790c5c77897deedcce480f63362963e35db22d5eb93277d1fc2
                                                                                                                                                  • Instruction ID: e0c8612bcf8323a4b334d19ab4c0d1fc3ee97223047e153b038dd472b589b9a1
                                                                                                                                                  • Opcode Fuzzy Hash: aad7b7ec3e1c3790c5c77897deedcce480f63362963e35db22d5eb93277d1fc2
                                                                                                                                                  • Instruction Fuzzy Hash: 9B325176B122288FDB248F69CC806DAB7F5FB46354F0440D9D41AE7A44E7389BA0CF56
                                                                                                                                                  Function 62E86D4C Relevance: 17.7, Strings: 13, Instructions: 1478COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$@$invalid bit length repeat$invalid block type$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$invalid stored block lengths$too many length or distance symbols
                                                                                                                                                  • API String ID: 0-2458015535
                                                                                                                                                  • Opcode ID: 480458d99bb864b81686c7c00a8d1d5f481d88d2b69fc0b0877fc06832221fc5
                                                                                                                                                  • Instruction ID: aaecf94b156e6b576ec74117f0522ce8d58e1a662c1c956ddeb41d848e17a0b8
                                                                                                                                                  • Opcode Fuzzy Hash: 480458d99bb864b81686c7c00a8d1d5f481d88d2b69fc0b0877fc06832221fc5
                                                                                                                                                  • Instruction Fuzzy Hash: 65D20975E142598FCB14CFA9C4A069DFBF2BF89314F24C16AD898AB345D3389946CF90
                                                                                                                                                  Function 62E83A1C Relevance: 16.2, APIs: 10, Instructions: 1189COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c2dc84d752ab22db368e2445b2ee5d4f5e6c19ea1a26093189653a4d12f05a17
                                                                                                                                                  • Instruction ID: 0b55bcc0457bd966d224f664962f56c9b95e7839219aa461617d24bcc9624a2d
                                                                                                                                                  • Opcode Fuzzy Hash: c2dc84d752ab22db368e2445b2ee5d4f5e6c19ea1a26093189653a4d12f05a17
                                                                                                                                                  • Instruction Fuzzy Hash: 80C23A75A04605CFCB14CF28C1A069AF7F1FF49318F29C6AAD8995B756D338E842CB91
                                                                                                                                                  Function 62E8E0B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 86libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryProc$FreeLoad
                                                                                                                                                  • String ID: __mingwthr_key_dtor$__mingwthr_remove_key_dtor$mingwm10.dll
                                                                                                                                                  • API String ID: 2256533930-1831764645
                                                                                                                                                  • Opcode ID: dca3f03f7f8a427f3c0aacbf59277b295f8b39fa008d60e53c26890fa56a157f
                                                                                                                                                  • Instruction ID: 188a8cc89be2aeae1c7dc13ad815a72b2a9c565f7a2ae5a7d95f6fc933bbfc43
                                                                                                                                                  • Opcode Fuzzy Hash: dca3f03f7f8a427f3c0aacbf59277b295f8b39fa008d60e53c26890fa56a157f
                                                                                                                                                  • Instruction Fuzzy Hash: 3A313970E40609CBEB10DF24C46575A77A0BB4270CF64893FEC698B741D3BAD594DB12
                                                                                                                                                  Function 6BC5E750 Relevance: 5.5, Strings: 4, Instructions: 463COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: AuthenticAMD$Genu$ineI$ntel
                                                                                                                                                  • API String ID: 0-2440413955
                                                                                                                                                  • Opcode ID: e2938ef6aac709ad1c316f1ea2b60f0022a62fd81f3e5e486e2a058771211c03
                                                                                                                                                  • Instruction ID: 4a88c2025ee16550f9628e104e3724a1634fb4feec857025803748bde0510d1f
                                                                                                                                                  • Opcode Fuzzy Hash: e2938ef6aac709ad1c316f1ea2b60f0022a62fd81f3e5e486e2a058771211c03
                                                                                                                                                  • Instruction Fuzzy Hash: 42025DB2D242298FEB14CF9AD9807A9BBF5FB49310F10857ED489E7240E7749A51CF14
                                                                                                                                                  Function 6BC1C7F0 Relevance: 4.7, APIs: 2, Instructions: 2163memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000040,00001000,00000004), ref: 6BC1C8D7
                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 6BC1E87B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                  • Opcode ID: a1ffd635e613fc0b342e8fab7eb6815ba1d90573933c8a24617b2015b68d261a
                                                                                                                                                  • Instruction ID: 584812912e3c796d1d8a7c302b6269978f4a6beb81fd285f0cf279968a9daad7
                                                                                                                                                  • Opcode Fuzzy Hash: a1ffd635e613fc0b342e8fab7eb6815ba1d90573933c8a24617b2015b68d261a
                                                                                                                                                  • Instruction Fuzzy Hash: D833F475A18395CFD764CF19C480A9AF7E2BFC8300F15892EE999A7311DB30A945CF92
                                                                                                                                                  Function 6BC14750 Relevance: 4.7, APIs: 2, Instructions: 2155memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000040,00001000,00000004), ref: 6BC14837
                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 6BC16970
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                  • Opcode ID: bae80a5c29cf2347caafa18a5169845a5f1e97673e942fd2e37315ab7b30164f
                                                                                                                                                  • Instruction ID: 60e9e0a10111d4176cbf2039c4b6de23afbcf6df1e369e8384db8587acd45cd5
                                                                                                                                                  • Opcode Fuzzy Hash: bae80a5c29cf2347caafa18a5169845a5f1e97673e942fd2e37315ab7b30164f
                                                                                                                                                  • Instruction Fuzzy Hash: 1F33F375A083858FD364CF19C480B8AF7E2BFC9304F158A2EE99897315D774AA55CF82
                                                                                                                                                  Function 6BC37BB0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1103COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OutputDebugStringA.KERNEL32(MotionBlurScale_SSE4_1 : Warning !! The Dst buffer width or height is not the same as expected.), ref: 6BC37C90
                                                                                                                                                  Strings
                                                                                                                                                  • MotionBlurScale_SSE4_1 : Warning !! The Dst buffer width or height is not the same as expected., xrefs: 6BC37C8B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DebugOutputString
                                                                                                                                                  • String ID: MotionBlurScale_SSE4_1 : Warning !! The Dst buffer width or height is not the same as expected.
                                                                                                                                                  • API String ID: 1166629820-2936571655
                                                                                                                                                  • Opcode ID: ec07525855bd57b81fb9e76a49f1799811dbdcda07101e84a9032f0201d35f8a
                                                                                                                                                  • Instruction ID: aaf0f06b102b9f74912fd7e3bd0ae276d7ae5de59f64e35b4d6d0c32a9c753f2
                                                                                                                                                  • Opcode Fuzzy Hash: ec07525855bd57b81fb9e76a49f1799811dbdcda07101e84a9032f0201d35f8a
                                                                                                                                                  • Instruction Fuzzy Hash: 43B29F719187958BD332CF29C4817DAF7E1BFD6340F54CB2EE988A7210E734A5918B82
                                                                                                                                                  Function 62E87F24 Relevance: 4.5, Strings: 3, Instructions: 744COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • invalid distance code, xrefs: 62E882EF
                                                                                                                                                  • invalid literal/length code, xrefs: 62E88244
                                                                                                                                                  • invalid distance too far back, xrefs: 62E88796
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                                                                                                                                  • API String ID: 0-3255898291
                                                                                                                                                  • Opcode ID: 5d427706fd979db04a0442cbd68b594deb61790300ad38829fb2e6046903f22f
                                                                                                                                                  • Instruction ID: 92a10079dbac65ad3958358783acd1f0788288010454c260c64923141de04c21
                                                                                                                                                  • Opcode Fuzzy Hash: 5d427706fd979db04a0442cbd68b594deb61790300ad38829fb2e6046903f22f
                                                                                                                                                  • Instruction Fuzzy Hash: C572E475D046298FCB14CFA9C4905AEFBB2BF89354F24C26AD8997B305D3396942CF90
                                                                                                                                                  Function 6BC34F50 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 818COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OutputDebugStringA.KERNEL32(MotionBlurDirection : Warning !! The Dst buffer width or height is not the same as expected.), ref: 6BC3506D
                                                                                                                                                  Strings
                                                                                                                                                  • MotionBlurDirection : Warning !! The Dst buffer width or height is not the same as expected., xrefs: 6BC35068
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DebugOutputString
                                                                                                                                                  • String ID: MotionBlurDirection : Warning !! The Dst buffer width or height is not the same as expected.
                                                                                                                                                  • API String ID: 1166629820-2582941018
                                                                                                                                                  • Opcode ID: 87a170d2f4f3ba51d01698cf6f4cc84b55a5ae859274dd1986d3feae8cfed4c8
                                                                                                                                                  • Instruction ID: f579cb4b8b53f5af4ad9f1d50cc9f2601c01027b21e6a5d0c1aa146176f07c5c
                                                                                                                                                  • Opcode Fuzzy Hash: 87a170d2f4f3ba51d01698cf6f4cc84b55a5ae859274dd1986d3feae8cfed4c8
                                                                                                                                                  • Instruction Fuzzy Hash: A372B2319297958FD321CF2AC48065AF7E1BFDA344F45CB1EF998B3261E730A9458B42
                                                                                                                                                  Function 62E8F7E0 Relevance: 4.1, Strings: 3, Instructions: 354COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$gfff$gfff
                                                                                                                                                  • API String ID: 0-2819268606
                                                                                                                                                  • Opcode ID: a7bdce88798a3121cdbad411e47ad03323a3903414a061856a44396c220ed1d9
                                                                                                                                                  • Instruction ID: b93177785e2b3be4e42b3df0c40743118a87bab21836833a35cb292ce8f2099f
                                                                                                                                                  • Opcode Fuzzy Hash: a7bdce88798a3121cdbad411e47ad03323a3903414a061856a44396c220ed1d9
                                                                                                                                                  • Instruction Fuzzy Hash: 53D18971A083418BDB04CE69C0A070AF7E1AFC8358FA8C97DFCC89B355D679D9458B82
                                                                                                                                                  Function 6BC573DB Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,6BC541F8,?,?,?,00000000), ref: 6BC573E0
                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 6BC573E9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                  • Opcode ID: d00fe4ae836d8ba9707f33b4370eabecb7a9749e2bdd243b02308fcb0baa5832
                                                                                                                                                  • Instruction ID: 4009482a8d99b4a96aec471bf7597228c7bdd0191eae9e758d0ced6b3b86d248
                                                                                                                                                  • Opcode Fuzzy Hash: d00fe4ae836d8ba9707f33b4370eabecb7a9749e2bdd243b02308fcb0baa5832
                                                                                                                                                  • Instruction Fuzzy Hash: ACB09236044208AFCE452B91D809B893F78EB86652F048011F70E54050CB6296608AA1
                                                                                                                                                  Function 62E89D51 Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: invalid bit length repeat
                                                                                                                                                  • API String ID: 0-1557105326
                                                                                                                                                  • Opcode ID: 8ccb00b87bc10c7008984cdbbef37afef5eec48319d1533b21ea90aae1456f29
                                                                                                                                                  • Instruction ID: b26cc5bd88380247d59bfaebd8d6a7e91ee45f5d7353ebef311742df04224b10
                                                                                                                                                  • Opcode Fuzzy Hash: 8ccb00b87bc10c7008984cdbbef37afef5eec48319d1533b21ea90aae1456f29
                                                                                                                                                  • Instruction Fuzzy Hash: 0F221676D046299FCB14CFA8D4A02DCFBB1BF49314F2A816AE899B7341D734A945CB90
                                                                                                                                                  Function 62E81794 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 1.2.5
                                                                                                                                                  • API String ID: 0-1624589015
                                                                                                                                                  • Opcode ID: 7f6af4a4a4e4db1c3f10afba68f6cf6a74c8fb202dd94dce20211f2c4acab0e2
                                                                                                                                                  • Instruction ID: 97fff856cb81c01c5f15b2ede1ae8f8208f2fec45143211d84cba813d9a4841c
                                                                                                                                                  • Opcode Fuzzy Hash: 7f6af4a4a4e4db1c3f10afba68f6cf6a74c8fb202dd94dce20211f2c4acab0e2
                                                                                                                                                  • Instruction Fuzzy Hash: 1A81B332D605668FDB18CF69C8402AA73A2FB8F345BDA8D36CB546B245C335B852C7D0
                                                                                                                                                  Function 6248D2D4 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 00Ib
                                                                                                                                                  • API String ID: 0-1996699157
                                                                                                                                                  • Opcode ID: 94637b37977b380b6d8f5552d228d7ed785c43a112f4300b46994e6d4c880c89
                                                                                                                                                  • Instruction ID: 47ed8076a70035953cf547b1d0fabe9f8f19dfbea49840aa5485feac178cd378
                                                                                                                                                  • Opcode Fuzzy Hash: 94637b37977b380b6d8f5552d228d7ed785c43a112f4300b46994e6d4c880c89
                                                                                                                                                  • Instruction Fuzzy Hash: 8131D432B66621D7D308897EC860B4BB3D79BC5764F55C22BA859C3750D5B8CC428781
                                                                                                                                                  Function 6BC09F50 Relevance: .9, Instructions: 926COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d99b69be1a62f8cd515dca4a2dba8f8a5c64d3ba3ca16e9c4c24be77680a3413
                                                                                                                                                  • Instruction ID: 3fed5d5f62cc1e65ce897d4a1fd3e861aaf01e5885dee6ebfec729736d78b417
                                                                                                                                                  • Opcode Fuzzy Hash: d99b69be1a62f8cd515dca4a2dba8f8a5c64d3ba3ca16e9c4c24be77680a3413
                                                                                                                                                  • Instruction Fuzzy Hash: 1482E3319297818FD312CF3AC48126AFBE0BFDA244F05CB2EF89867651E736E5459B01
                                                                                                                                                  Function 6BC2C3D0 Relevance: .7, Instructions: 715COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d48854c8439362cea6c80c326c1d937f7a91eba246df555cc06f65ad8c158945
                                                                                                                                                  • Instruction ID: a5f71b76a6363d73d0526fef7d800516650e3ce74b219841e2a808f6e15f57f9
                                                                                                                                                  • Opcode Fuzzy Hash: d48854c8439362cea6c80c326c1d937f7a91eba246df555cc06f65ad8c158945
                                                                                                                                                  • Instruction Fuzzy Hash: 4342C276A087118FD304CE29C89026FBBE6AFD9311F058B2EF89997345D734DA458B52
                                                                                                                                                  Function 62E8B0B0 Relevance: .7, Instructions: 656COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cbfed040cc350f9fd59cb8271e1be1f16654e09b398c2feb77068450b9bbe418
                                                                                                                                                  • Instruction ID: 9957f4c4087d2eb1905f693f290502094b70e56f9a117a61b2e7a8c403008a6d
                                                                                                                                                  • Opcode Fuzzy Hash: cbfed040cc350f9fd59cb8271e1be1f16654e09b398c2feb77068450b9bbe418
                                                                                                                                                  • Instruction Fuzzy Hash: 09620674D04269CBDB24CFA8C4A06EDBBB1FF48308F20816DC899AB395D7785986CF54
                                                                                                                                                  Function 6BC06F70 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 43a8d94978617cfbca3bce8de872221893aaff614ae64288cd9548da1d9a6edc
                                                                                                                                                  • Instruction ID: 4af669d1c3b7fe94fd99bcdc72e63aec65cbbec31733aa96645c1088ba8cd417
                                                                                                                                                  • Opcode Fuzzy Hash: 43a8d94978617cfbca3bce8de872221893aaff614ae64288cd9548da1d9a6edc
                                                                                                                                                  • Instruction Fuzzy Hash: 603256309287428BD706CE3AC48126AB7A1AF9B344F04CB2FFC9476541F73AE690DB50
                                                                                                                                                  Function 6BC08FD0 Relevance: .3, Instructions: 316COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 66eaceb82b5eed2cbf8b5332dd7189bcfa1ba10bd27dfb32869630956ff64e87
                                                                                                                                                  • Instruction ID: 47cb59e2b5ef74ac2e861b72efe02271fbe0e5b1c1f826e2a63ff85aec24d69c
                                                                                                                                                  • Opcode Fuzzy Hash: 66eaceb82b5eed2cbf8b5332dd7189bcfa1ba10bd27dfb32869630956ff64e87
                                                                                                                                                  • Instruction Fuzzy Hash: 5BC1B034D297538AE712CF398881255B7A0AFE3241F11C72EFCA53A942F77AE242C751
                                                                                                                                                  Function 62E81A7C Relevance: .2, Instructions: 175COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 179ba01b676e9bfb6a232a472cd12f1a68e9df7310133ca9ef2023848d7b84f8
                                                                                                                                                  • Instruction ID: e42ec29be8b5d45d3129bbedd441990b735a0303d4e9108531445820a5536ff9
                                                                                                                                                  • Opcode Fuzzy Hash: 179ba01b676e9bfb6a232a472cd12f1a68e9df7310133ca9ef2023848d7b84f8
                                                                                                                                                  • Instruction Fuzzy Hash: D251A470A046188BDB298EADC4F17DA77B0EB0630CF2085B9C6EEDB350D6759691CF40
                                                                                                                                                  Function 62E934C4 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e105391766f0ab4855c16481151d701a6c3501fc1efd9a16d337f89b6c32a7f
                                                                                                                                                  • Instruction ID: 1127256c9fd36870edb8a28e7fe60fa87920e39060669afeb26e6129623aeee0
                                                                                                                                                  • Opcode Fuzzy Hash: 9e105391766f0ab4855c16481151d701a6c3501fc1efd9a16d337f89b6c32a7f
                                                                                                                                                  • Instruction Fuzzy Hash: 8E316072F00125479B14CABE98A01DEF7E7ABDC668B29C236D819E3344E571DC0287D0
                                                                                                                                                  Function 009FCF80 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000003.1714864839.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 009F6000, based on PE: false
                                                                                                                                                  • Associated: 0000000F.00000003.1713159155.00000000009F6000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_3_9f6000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 42ac22080e2db22f9260151af78ebb596282cc5972da0506f025bf93b85c8ff2
                                                                                                                                                  • Instruction ID: 1125a500b86f27567f9b169fd37b7fff1d3c87ce38a2efc530f00352c78b01ec
                                                                                                                                                  • Opcode Fuzzy Hash: 42ac22080e2db22f9260151af78ebb596282cc5972da0506f025bf93b85c8ff2
                                                                                                                                                  • Instruction Fuzzy Hash: EC21B0AA40E7C05ED30357745CA62947FB1AE47220B4F41C7C4E4DF1E3DA581A0AD772
                                                                                                                                                  Function 009FCF80 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000003.1714864839.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 009F8000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_3_9f6000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 42ac22080e2db22f9260151af78ebb596282cc5972da0506f025bf93b85c8ff2
                                                                                                                                                  • Instruction ID: 1125a500b86f27567f9b169fd37b7fff1d3c87ce38a2efc530f00352c78b01ec
                                                                                                                                                  • Opcode Fuzzy Hash: 42ac22080e2db22f9260151af78ebb596282cc5972da0506f025bf93b85c8ff2
                                                                                                                                                  • Instruction Fuzzy Hash: EC21B0AA40E7C05ED30357745CA62947FB1AE47220B4F41C7C4E4DF1E3DA581A0AD772
                                                                                                                                                  Function 009FCF80 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000003.1714864839.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 009FC000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_3_9f6000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 42ac22080e2db22f9260151af78ebb596282cc5972da0506f025bf93b85c8ff2
                                                                                                                                                  • Instruction ID: 1125a500b86f27567f9b169fd37b7fff1d3c87ce38a2efc530f00352c78b01ec
                                                                                                                                                  • Opcode Fuzzy Hash: 42ac22080e2db22f9260151af78ebb596282cc5972da0506f025bf93b85c8ff2
                                                                                                                                                  • Instruction Fuzzy Hash: EC21B0AA40E7C05ED30357745CA62947FB1AE47220B4F41C7C4E4DF1E3DA581A0AD772
                                                                                                                                                  Function 6248922C Relevance: 63.4, APIs: 33, Strings: 3, Instructions: 387COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$sem_destroy$_errnofreepthread_mutex_unlock
                                                                                                                                                  • String ID: 0Ib$ 0Ib$,0Ib
                                                                                                                                                  • API String ID: 2697538053-322448077
                                                                                                                                                  • Opcode ID: 764b6ea695bbe79398fef36560db64ea86ee1b56fbcc798253f1df5057fa2467
                                                                                                                                                  • Instruction ID: 5c6b8f8bf3f909e4653e8845ab6e5be26d0613f209f803b196b899961ee088e9
                                                                                                                                                  • Opcode Fuzzy Hash: 764b6ea695bbe79398fef36560db64ea86ee1b56fbcc798253f1df5057fa2467
                                                                                                                                                  • Instruction Fuzzy Hash: 5EE12C70619B02CFD704EF39C9A0B1ABBE1AF85718F11892DD4989B380EB79D545CBD2
                                                                                                                                                  Function 6248AB50 Relevance: 44.1, APIs: 23, Strings: 2, Instructions: 344COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_self.PTHREADGC2 ref: 6248AB5F
                                                                                                                                                    • Part of subcall function 624859C4: pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                                                                                                                                  • WaitForMultipleObjects.KERNEL32 ref: 6248AB98
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MultipleObjectsWaitpthread_getspecificpthread_self
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 2884636504-1775419244
                                                                                                                                                  • Opcode ID: c338cc5b2da1166706ef63746e2fd0e20933603ee93300f9eb5478b9cd23cacd
                                                                                                                                                  • Instruction ID: e4d537ff8b970c380cdb3c170cd267c6585d6da0b764a4681caf0be14c34d2df
                                                                                                                                                  • Opcode Fuzzy Hash: c338cc5b2da1166706ef63746e2fd0e20933603ee93300f9eb5478b9cd23cacd
                                                                                                                                                  • Instruction Fuzzy Hash: E5D14EB16193118BD704DF39C460B2BBBE1AF85368F05892DE9988B380DB79D545CBD3
                                                                                                                                                  Function 624844D0 Relevance: 42.3, APIs: 28, Instructions: 338COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$Freefree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1842897153-0
                                                                                                                                                  • Opcode ID: 2bd1197591d7ad28161c57e48fd5c76f83a984e5aa969e3c48ff4743b0cc4cea
                                                                                                                                                  • Instruction ID: 831d8dfb63e9d11df6bc7896c692173f11c86926e9654ee590dac13469df5439
                                                                                                                                                  • Opcode Fuzzy Hash: 2bd1197591d7ad28161c57e48fd5c76f83a984e5aa969e3c48ff4743b0cc4cea
                                                                                                                                                  • Instruction Fuzzy Hash: A0D11A701197029FD745EF78C560B1BBBE4AF85758F018A2CE4A89B380EB78D545CBD2
                                                                                                                                                  Function 624872FC Relevance: 38.9, APIs: 20, Strings: 2, Instructions: 372synchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$ObjectSingleWait$pthread_equalpthread_self$CloseCreateHandle
                                                                                                                                                  • String ID: 00Ib$00Ib
                                                                                                                                                  • API String ID: 4018796677-3143399735
                                                                                                                                                  • Opcode ID: 77074f3d504798ca0d636a72bcd6d98a8419e553bd5ed188a103e09cba2e5062
                                                                                                                                                  • Instruction ID: 4b5e02841eb104ac91b603bd3b23e4eb402a2909b6e6ad553adb0a6a8227033e
                                                                                                                                                  • Opcode Fuzzy Hash: 77074f3d504798ca0d636a72bcd6d98a8419e553bd5ed188a103e09cba2e5062
                                                                                                                                                  • Instruction Fuzzy Hash: 62E15E746187018FD704DF38C4A0B1ABBE1AF85728F108A6DD8688F395DB79D985CBD2
                                                                                                                                                  Function 62489D4C Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 192COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62489D83
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62489D94
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62489DB9
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62489DC3
                                                                                                                                                  • SetEvent.KERNEL32 ref: 62489E24
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 62489E73
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Eventpthread_mutex_lockpthread_mutex_unlock
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 864068950-971630126
                                                                                                                                                  • Opcode ID: 5efa33e29e365dfccee06321513bcb8635aebf8ed7fbe9eaa9a3ae15c540cefc
                                                                                                                                                  • Instruction ID: d95caed51f7f7ef76fdebcf8654f8e7deb9af60c29cada252207af0f362cb326
                                                                                                                                                  • Opcode Fuzzy Hash: 5efa33e29e365dfccee06321513bcb8635aebf8ed7fbe9eaa9a3ae15c540cefc
                                                                                                                                                  • Instruction Fuzzy Hash: 82617571128B068FD751AF78C560B1ABBE1AF85758F01C92CD4998B380EB3ED546CBC6
                                                                                                                                                  Function 6248B674 Relevance: 37.8, APIs: 25, Instructions: 338sleepsynchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_testcancel$ObjectSingleSleepWaitpthread_self
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1640746926-0
                                                                                                                                                  • Opcode ID: 80fb9c7b1cf065040cedce52d7a0a05687c946ce6a7eea4179b2bde78da8459e
                                                                                                                                                  • Instruction ID: 430836e4bc4bacf97ebac3c4ad1e9a0423cd56b27deee1e74b07d253819d3aaf
                                                                                                                                                  • Opcode Fuzzy Hash: 80fb9c7b1cf065040cedce52d7a0a05687c946ce6a7eea4179b2bde78da8459e
                                                                                                                                                  • Instruction Fuzzy Hash: 06C14FB06157028FD715AF39C860B2BB7E5AF85718F058A2DE898CB380DB39D545CBD2
                                                                                                                                                  Function 62487E68 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 200COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$sem_init$CloseCreateHandle_errnocallocfreepthread_mutex_init
                                                                                                                                                  • String ID: $ 0Ib$ 0Ib
                                                                                                                                                  • API String ID: 4185087634-169993702
                                                                                                                                                  • Opcode ID: 2f1dd3ce2d9822a2b2a1048b3ec590e6835d67412d324b0d07bf07ceac9a7793
                                                                                                                                                  • Instruction ID: 75da85fc42cf9cf37ebe59a15c02a36c0af402cc8ffe5248b6ce9a35761834cb
                                                                                                                                                  • Opcode Fuzzy Hash: 2f1dd3ce2d9822a2b2a1048b3ec590e6835d67412d324b0d07bf07ceac9a7793
                                                                                                                                                  • Instruction Fuzzy Hash: FB714C756193068FE704AF39C860B1BBBE0AF86358F01892DE4988F350DB79C545CBD2
                                                                                                                                                  Function 62485AB8 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 281COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_equalpthread_self
                                                                                                                                                  • String ID: 00Ib$00Ib
                                                                                                                                                  • API String ID: 4252371553-3143399735
                                                                                                                                                  • Opcode ID: df0d4fedd25e9aa890ec0607af74fb6d9912d41ea212317f684687d7e089f1a5
                                                                                                                                                  • Instruction ID: 1b76d9a27f9589e0acad61f1da92a80ed6212d12696907a0ba393f2260bd8d83
                                                                                                                                                  • Opcode Fuzzy Hash: df0d4fedd25e9aa890ec0607af74fb6d9912d41ea212317f684687d7e089f1a5
                                                                                                                                                  • Instruction Fuzzy Hash: 6AB160706143018FD704DF29C4A0B1ABBE1BF89328F16CA6DD8A98B355D739D586CF91
                                                                                                                                                  Function 6248405C Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 259COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 4201588131-1775419244
                                                                                                                                                  • Opcode ID: a4edcf42e6fc0d01650ff76b4edda30c45995600eb74ddf52d3cd89caa306c04
                                                                                                                                                  • Instruction ID: 567f79db41a0bb9b57a5034b7b089b3d29cc60533b3e2c5c67fbc4ab7c1bad70
                                                                                                                                                  • Opcode Fuzzy Hash: a4edcf42e6fc0d01650ff76b4edda30c45995600eb74ddf52d3cd89caa306c04
                                                                                                                                                  • Instruction Fuzzy Hash: E3B12B706197028BD705DF29C864B1BBBE5AFC5758F018A2DE4A88B384DB79C545CBC2
                                                                                                                                                  Function 6248C13C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • sem_wait.PTHREADGC2 ref: 6248C181
                                                                                                                                                    • Part of subcall function 6248B5C8: pthread_testcancel.PTHREADGC2 ref: 6248B5D5
                                                                                                                                                    • Part of subcall function 6248B5C8: pthread_mutex_lock.PTHREADGC2 ref: 6248B5E4
                                                                                                                                                    • Part of subcall function 6248B5C8: pthread_mutex_unlock.PTHREADGC2 ref: 6248B5FD
                                                                                                                                                  • sem_post.PTHREADGC2 ref: 6248C18F
                                                                                                                                                    • Part of subcall function 62487BC8: pthread_mutex_lock.PTHREADGC2 ref: 62487BDF
                                                                                                                                                    • Part of subcall function 62487BC8: pthread_mutex_unlock.PTHREADGC2 ref: 62487C03
                                                                                                                                                  • ptw32_push_cleanup.PTHREADGC2 ref: 6248C1BF
                                                                                                                                                    • Part of subcall function 6248A83C: pthread_getspecific.PTHREADGC2 ref: 6248A859
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 6248C1C7
                                                                                                                                                  • ptw32_pop_cleanup.PTHREADGC2 ref: 6248C1DB
                                                                                                                                                  • _errno.MSVCRT ref: 6248C1F8
                                                                                                                                                  • sem_timedwait.PTHREADGC2 ref: 6248C216
                                                                                                                                                  • _errno.MSVCRT ref: 6248C21F
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248C278
                                                                                                                                                  • SetEvent.KERNEL32(00000000,00000000,00000000), ref: 6248C2D4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_unlock$Event_errnopthread_mutex_lock$pthread_getspecificpthread_testcancelptw32_pop_cleanupptw32_push_cleanupsem_postsem_timedwaitsem_wait
                                                                                                                                                  • String ID: ,0Ib$,0Ib
                                                                                                                                                  • API String ID: 4201842389-3949404277
                                                                                                                                                  • Opcode ID: aba43c759a62c9a65cecc43a5f94ba5325d51385b4348491598a655008f4d921
                                                                                                                                                  • Instruction ID: ed5ccd0084515db3812963aed8b02f251c6edc697c60eb609385e8fe288bd988
                                                                                                                                                  • Opcode Fuzzy Hash: aba43c759a62c9a65cecc43a5f94ba5325d51385b4348491598a655008f4d921
                                                                                                                                                  • Instruction Fuzzy Hash: 4F811A70519702CFD709DF69C4A0B1BBBE0AF85758F008A2DE9A88B390DB79D545CF92
                                                                                                                                                  Function 6248C6D4 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 197COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • sem_wait.PTHREADGC2 ref: 6248C70C
                                                                                                                                                    • Part of subcall function 6248B5C8: pthread_testcancel.PTHREADGC2 ref: 6248B5D5
                                                                                                                                                    • Part of subcall function 6248B5C8: pthread_mutex_lock.PTHREADGC2 ref: 6248B5E4
                                                                                                                                                    • Part of subcall function 6248B5C8: pthread_mutex_unlock.PTHREADGC2 ref: 6248B5FD
                                                                                                                                                  • sem_post.PTHREADGC2 ref: 6248C71A
                                                                                                                                                    • Part of subcall function 62487BC8: pthread_mutex_lock.PTHREADGC2 ref: 62487BDF
                                                                                                                                                    • Part of subcall function 62487BC8: pthread_mutex_unlock.PTHREADGC2 ref: 62487C03
                                                                                                                                                  • ptw32_push_cleanup.PTHREADGC2 ref: 6248C74A
                                                                                                                                                    • Part of subcall function 6248A83C: pthread_getspecific.PTHREADGC2 ref: 6248A859
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 6248C752
                                                                                                                                                  • ptw32_pop_cleanup.PTHREADGC2 ref: 6248C76A
                                                                                                                                                  • _errno.MSVCRT ref: 6248C790
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248C7E8
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 6248C848
                                                                                                                                                  • sem_timedwait.PTHREADGC2 ref: 6248C876
                                                                                                                                                  • _errno.MSVCRT ref: 6248C883
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_unlock$Event_errnopthread_mutex_lock$pthread_getspecificpthread_testcancelptw32_pop_cleanupptw32_push_cleanupsem_postsem_timedwaitsem_wait
                                                                                                                                                  • String ID: ,0Ib$,0Ib
                                                                                                                                                  • API String ID: 4201842389-3949404277
                                                                                                                                                  • Opcode ID: e106f6ad249a74bb4f0723f65e140e52f76e3bfceb570d38c966e281fafe7441
                                                                                                                                                  • Instruction ID: 671b96c5e815200851885c4fcbba4dad442a2894eac12de8bb8b4533a5b473e8
                                                                                                                                                  • Opcode Fuzzy Hash: e106f6ad249a74bb4f0723f65e140e52f76e3bfceb570d38c966e281fafe7441
                                                                                                                                                  • Instruction Fuzzy Hash: 887140719197128FD704DF39C4A0B1BBBE0AF85758F018A2DE8988B390DB39D545CBD2
                                                                                                                                                  Function 6248C404 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_timedlock.PTHREADGC2 ref: 6248C447
                                                                                                                                                  • pthread_mutex_timedlock.PTHREADGC2 ref: 6248C460
                                                                                                                                                  • ptw32_push_cleanup.PTHREADGC2 ref: 6248C4A8
                                                                                                                                                  • pthread_cond_timedwait.PTHREADGC2 ref: 6248C4C7
                                                                                                                                                  • ptw32_pop_cleanup.PTHREADGC2 ref: 6248C4E6
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248C544
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 6248C596
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Eventpthread_mutex_timedlock$pthread_cond_timedwaitptw32_pop_cleanupptw32_push_cleanup
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 10865500-971630126
                                                                                                                                                  • Opcode ID: 1b3895cf60166baf62c999ac471e97555938a384d049ddc5b389cc9c47731378
                                                                                                                                                  • Instruction ID: d91c2851f7f527505f6bb61f8ae4c9933b699ff1348471d4b8e3d13d35dbebc3
                                                                                                                                                  • Opcode Fuzzy Hash: 1b3895cf60166baf62c999ac471e97555938a384d049ddc5b389cc9c47731378
                                                                                                                                                  • Instruction Fuzzy Hash: 9B7150705297169FD708DF39C560B1BBBE0AF85758F418A2DE8989B380D738D985CBC2
                                                                                                                                                  Function 6248C9AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 193COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Eventpthread_mutex_lock$pthread_cond_waitptw32_pop_cleanupptw32_push_cleanup
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 3175075169-971630126
                                                                                                                                                  • Opcode ID: c07afd36809e60f3c6c3226cc91d6b10ab2480eac0c57231b4d55449798d91ef
                                                                                                                                                  • Instruction ID: 791a6abe4d9565c50d29311a13048179ba49a9f8bd70c9adcf686121e8ddb980
                                                                                                                                                  • Opcode Fuzzy Hash: c07afd36809e60f3c6c3226cc91d6b10ab2480eac0c57231b4d55449798d91ef
                                                                                                                                                  • Instruction Fuzzy Hash: E17150705197068BD708DF39C460B1FBBE1AF85758F418A2DE8989B380EB78C945CBD2
                                                                                                                                                  Function 62485270 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 174libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,62485508), ref: 62485298
                                                                                                                                                  • pthread_key_delete.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,62485508), ref: 624852C8
                                                                                                                                                  • pthread_key_delete.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,62485508), ref: 624852E3
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248533B
                                                                                                                                                  • CreateEventA.KERNEL32(?), ref: 6248536E
                                                                                                                                                  • CloseHandle.KERNEL32 ref: 62485389
                                                                                                                                                  • SetEvent.KERNEL32 ref: 624853D7
                                                                                                                                                  • GetProcAddress.KERNEL32 ref: 624853FF
                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 62485415
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_key_delete$AddressCloseCreateFreeHandleLibraryProcpthread_getspecific
                                                                                                                                                  • String ID: 40Ib$40Ib$QueueUserAPCEx_Fini
                                                                                                                                                  • API String ID: 2430466546-4210186421
                                                                                                                                                  • Opcode ID: 257d4bdbd0e7785e3fe1e55744a3efbd2880f56115846b2d30acff4721966edf
                                                                                                                                                  • Instruction ID: e3685beca89b1beb982f9fe395082742bab2892dac16449d4fbe9fc2a3ea0125
                                                                                                                                                  • Opcode Fuzzy Hash: 257d4bdbd0e7785e3fe1e55744a3efbd2880f56115846b2d30acff4721966edf
                                                                                                                                                  • Instruction Fuzzy Hash: 21616170A153018FD705AF39C464B1BBBE0AF86718F028A2DD8999B344EB78D545CFD2
                                                                                                                                                  Function 6248554C Relevance: 30.3, APIs: 20, Instructions: 307COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_self.PTHREADGC2 ref: 62485563
                                                                                                                                                    • Part of subcall function 624859C4: pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                                                                                                                                  • SetEvent.KERNEL32 ref: 624855E2
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248563E
                                                                                                                                                  • calloc.MSVCRT ref: 6248568B
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 624857A8
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 624857D7
                                                                                                                                                  • TlsSetValue.KERNEL32 ref: 624857F5
                                                                                                                                                  • pthread_getspecific.PTHREADGC2 ref: 62485813
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_getspecific$Valuecallocpthread_self
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3177204993-0
                                                                                                                                                  • Opcode ID: e328b195ee8341bfcdd4b7a40bda9c2489e283d0ecb33da7b1ff33c5a644ffb5
                                                                                                                                                  • Instruction ID: 336ae45118f71c6f8960d642e2c64ad482e5473e8659e64d019399fba45c21df
                                                                                                                                                  • Opcode Fuzzy Hash: e328b195ee8341bfcdd4b7a40bda9c2489e283d0ecb33da7b1ff33c5a644ffb5
                                                                                                                                                  • Instruction Fuzzy Hash: 5DC13A74619702CFE7149F38C460B1BBBE1AF84768F428A2DE8999B350DB38D545CBC2
                                                                                                                                                  Function 62488404 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 182COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_trylock.PTHREADGC2 ref: 6248843B
                                                                                                                                                  • pthread_mutex_trylock.PTHREADGC2 ref: 6248844C
                                                                                                                                                  • SetEvent.KERNEL32 ref: 624884D4
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 62488526
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Eventpthread_mutex_trylock
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 452211298-971630126
                                                                                                                                                  • Opcode ID: 6d68e17e18575ab38500b488cfce07384e70acc2575593d775cb3df246303538
                                                                                                                                                  • Instruction ID: 24f3f35308945e4f7df15cfec2f1a1a23a0baa62b4b3798d48a74a08d9405954
                                                                                                                                                  • Opcode Fuzzy Hash: 6d68e17e18575ab38500b488cfce07384e70acc2575593d775cb3df246303538
                                                                                                                                                  • Instruction Fuzzy Hash: 7161647151970A8FD7149F39C860B5B7BE1AF85798F458A2CD8A89B340EB3CC945CBC2
                                                                                                                                                  Function 6248B03C Relevance: 28.8, APIs: 19, Instructions: 253COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_kill.PTHREADGC2 ref: 6248B05A
                                                                                                                                                    • Part of subcall function 62482540: SetEvent.KERNEL32 ref: 6248259C
                                                                                                                                                    • Part of subcall function 62482540: SetEvent.KERNEL32(00000000), ref: 624825F0
                                                                                                                                                  • pthread_self.PTHREADGC2 ref: 6248B070
                                                                                                                                                  • pthread_equal.PTHREADGC2 ref: 6248B08C
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248B0D8
                                                                                                                                                  • CreateEventA.KERNEL32 ref: 6248B10F
                                                                                                                                                  • CloseHandle.KERNEL32 ref: 6248B12E
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248B188
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$CloseCreateHandlepthread_equalpthread_killpthread_self
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3567724137-0
                                                                                                                                                  • Opcode ID: d28e5e38d8071dc0d53248fbe32a97f24c8b03476967a7ddce328f8150f9984a
                                                                                                                                                  • Instruction ID: 8bb0652a742bb1d8a5bceaf13f457368473408656cd5c2653143a8566dcb618d
                                                                                                                                                  • Opcode Fuzzy Hash: d28e5e38d8071dc0d53248fbe32a97f24c8b03476967a7ddce328f8150f9984a
                                                                                                                                                  • Instruction Fuzzy Hash: 54A109701197028FD311AF39C864B2BBBE4AF85358F108A2DE498CB391DB79D585CBD2
                                                                                                                                                  Function 62488698 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 176COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 4201588131-971630126
                                                                                                                                                  • Opcode ID: de03cd6c93a302518bb446aa6f0797731ed3099820f0a9515aff275cc98e422e
                                                                                                                                                  • Instruction ID: 1555a84dc194ac38dd83c13e8ffd4e5cfc687441763ef42979562aab9afe904d
                                                                                                                                                  • Opcode Fuzzy Hash: de03cd6c93a302518bb446aa6f0797731ed3099820f0a9515aff275cc98e422e
                                                                                                                                                  • Instruction Fuzzy Hash: 6361317051570A9FD704AF39C960B1BB7E0AF85798F058A2DE8A89B340DB39C945CBD2
                                                                                                                                                  Function 62488CF0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 168COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 4201588131-971630126
                                                                                                                                                  • Opcode ID: 596d7d12b2287f2c7afee225dbd905fefa28e55f7d58832a3fbbc0e62cf0a420
                                                                                                                                                  • Instruction ID: 103eda4e75299d63ee53e56a4c6a616f7bcbfc255152b143e6a22f9e9e59f0af
                                                                                                                                                  • Opcode Fuzzy Hash: 596d7d12b2287f2c7afee225dbd905fefa28e55f7d58832a3fbbc0e62cf0a420
                                                                                                                                                  • Instruction Fuzzy Hash: 4B51537151570A9FD714EF39C860B5BB7E1AF85358F118A2CE8A89B340EB38C945CBC2
                                                                                                                                                  Function 62488F44 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 168COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 4201588131-971630126
                                                                                                                                                  • Opcode ID: ab25e8fe1f2f69b6067e763a681a956a372c558be2a74d356a13d1d698b61c16
                                                                                                                                                  • Instruction ID: e13ad17809ee1446b02a0a35f5fcb44ce5ebe18ba0400525feaa4b733a28b5b5
                                                                                                                                                  • Opcode Fuzzy Hash: ab25e8fe1f2f69b6067e763a681a956a372c558be2a74d356a13d1d698b61c16
                                                                                                                                                  • Instruction Fuzzy Hash: DB512C705187069FD715AF39C864B1A7BE1AF85758F01CA2CE8A99B380DB39C945CFC2
                                                                                                                                                  Function 624862D4 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 189COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$CloseHandlefreepthread_mutex_trylockpthread_mutex_unlock
                                                                                                                                                  • String ID: 00Ib$00Ib
                                                                                                                                                  • API String ID: 1860873260-3143399735
                                                                                                                                                  • Opcode ID: 8f775099a7e3675a9abc7b5a77cc5723f5318d5c570ff03822bfc43cbd4b43ed
                                                                                                                                                  • Instruction ID: a0bee27f31a0b55c305b74e577c54d7d6452227de1ad7cc80823938bcc8b56b8
                                                                                                                                                  • Opcode Fuzzy Hash: 8f775099a7e3675a9abc7b5a77cc5723f5318d5c570ff03822bfc43cbd4b43ed
                                                                                                                                                  • Instruction Fuzzy Hash: DD6160706257028FD380AF39C4A0B1BB7E1AF85728F50893DE9A88B354DB79D545CB82
                                                                                                                                                  Function 62E85478 Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 408COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: freemalloc$Init2_inflate
                                                                                                                                                  • String ID: 1.2.5$8$out of memory$unknown compression method$unknown header flags set
                                                                                                                                                  • API String ID: 418816003-1559348662
                                                                                                                                                  • Opcode ID: d3871141341fc05b0e62c4e622886e13eebcdc4dd41ab7dd671e10db93df7f91
                                                                                                                                                  • Instruction ID: fd6cae4127603ca1bf734e033c65c5f862f04db9110aab6d5255d2357481deb9
                                                                                                                                                  • Opcode Fuzzy Hash: d3871141341fc05b0e62c4e622886e13eebcdc4dd41ab7dd671e10db93df7f91
                                                                                                                                                  • Instruction Fuzzy Hash: 55E1FC706046418BDB088F3CC4E071A3BE5AF45359B6295BDE8ABCF34ADB38D945DB50
                                                                                                                                                  Function 624830C4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 134COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: 00Ib$00Ib
                                                                                                                                                  • API String ID: 4201588131-3143399735
                                                                                                                                                  • Opcode ID: 62c3b39a172976128c4f555cfa03111433cfdc3e2345d509def2cb0b079a8632
                                                                                                                                                  • Instruction ID: 488eaa9ba7482fbc4814b6aea2108f21851de6f0640d3b6763bb7cfcea58370d
                                                                                                                                                  • Opcode Fuzzy Hash: 62c3b39a172976128c4f555cfa03111433cfdc3e2345d509def2cb0b079a8632
                                                                                                                                                  • Instruction Fuzzy Hash: 075145705157019FD7059F38C9A0B6BBBE0AF85718F118A2CE4A98B380DB7DD546CBD2
                                                                                                                                                  Function 62484DF8 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 131COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_key_delete.PTHREADGC2 ref: 62484E18
                                                                                                                                                    • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 62484542
                                                                                                                                                    • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 624845B2
                                                                                                                                                    • Part of subcall function 624844D0: SetEvent.KERNEL32(00000000), ref: 624845FF
                                                                                                                                                  • pthread_key_delete.PTHREADGC2 ref: 62484E33
                                                                                                                                                  • SetEvent.KERNEL32 ref: 62484E8B
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 62484EE7
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_key_delete
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 2183179807-1775419244
                                                                                                                                                  • Opcode ID: f8e909874acd18d66664425f2643ce18ecfafd13a9e522c10979637fac04834e
                                                                                                                                                  • Instruction ID: 60b34f1ca3dde0ad01dae76935f4fe35604284433b45ede49ce019e7db247fd2
                                                                                                                                                  • Opcode Fuzzy Hash: f8e909874acd18d66664425f2643ce18ecfafd13a9e522c10979637fac04834e
                                                                                                                                                  • Instruction Fuzzy Hash: 505140716157028FE705AF39C4A4B27BBE8AF85358F018A2CE5988B384DB38D545CBD2
                                                                                                                                                  Function 62484A08 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 128COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_key_delete.PTHREADGC2 ref: 62484A1B
                                                                                                                                                    • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 62484542
                                                                                                                                                    • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 624845B2
                                                                                                                                                    • Part of subcall function 624844D0: SetEvent.KERNEL32(00000000), ref: 624845FF
                                                                                                                                                  • pthread_key_delete.PTHREADGC2 ref: 62484A36
                                                                                                                                                  • SetEvent.KERNEL32 ref: 62484A8E
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 62484AEB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_key_delete
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 2183179807-1775419244
                                                                                                                                                  • Opcode ID: 51b3cbf14977e92bb8919e5b2c1dbdbefb53680924dfc9b808ad5738c662d670
                                                                                                                                                  • Instruction ID: 5d2337c50c4385fccab48cd343a8b2c298bd4024bc5ab4f8d7cd4fa8ca630fa1
                                                                                                                                                  • Opcode Fuzzy Hash: 51b3cbf14977e92bb8919e5b2c1dbdbefb53680924dfc9b808ad5738c662d670
                                                                                                                                                  • Instruction Fuzzy Hash: C94141706153018FD704AF39C9A4B1BBBE4BF85358F018A2CD4988B384EB79D545CBD2
                                                                                                                                                  Function 62489810 Relevance: 21.2, APIs: 14, Instructions: 218COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4201588131-0
                                                                                                                                                  • Opcode ID: 61adb0852c60dfe0bff18c3e4e49c6823a83cb44eafc0adf525e11c6e6d18762
                                                                                                                                                  • Instruction ID: d8946bdd81ff0f26273945088fe922bcdd4601d400c77fe9006853402dcb86e5
                                                                                                                                                  • Opcode Fuzzy Hash: 61adb0852c60dfe0bff18c3e4e49c6823a83cb44eafc0adf525e11c6e6d18762
                                                                                                                                                  • Instruction Fuzzy Hash: 55815070515B128FD705AF39C8A0B1BB7E0AF85318F05CA6CD8A89B344EB3AD545CBD2
                                                                                                                                                  Function 62485ED4 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 169COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_mutex_trylock
                                                                                                                                                  • String ID: $0Ib$$0Ib
                                                                                                                                                  • API String ID: 3184621677-2500569730
                                                                                                                                                  • Opcode ID: c9eba26ff02bf74570cac68ba09c9133e8a7c6475e91eb9297896b57da61c7f2
                                                                                                                                                  • Instruction ID: 5c0e871e969e7a983c1b61fd8b5fa04257b143d2d36fd2db08d99a86f7910e85
                                                                                                                                                  • Opcode Fuzzy Hash: c9eba26ff02bf74570cac68ba09c9133e8a7c6475e91eb9297896b57da61c7f2
                                                                                                                                                  • Instruction Fuzzy Hash: 655161716257128BD705EF38C860B1BB7E1EF85328F058A2DE59A9B380DB39C545CBC2
                                                                                                                                                  Function 62487870 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: $0Ib$$0Ib
                                                                                                                                                  • API String ID: 4201588131-2500569730
                                                                                                                                                  • Opcode ID: 410c90c4e330e00e38379540b9e0ad1cc4a06baab9bcd6bce2bd7627745fd7da
                                                                                                                                                  • Instruction ID: bf820d3411786da10a6724afa54165d3d43b985fa8bbf27ba353c8a50516f97a
                                                                                                                                                  • Opcode Fuzzy Hash: 410c90c4e330e00e38379540b9e0ad1cc4a06baab9bcd6bce2bd7627745fd7da
                                                                                                                                                  • Instruction Fuzzy Hash: 8D513E756197118BE7049F39C870B1BBBE1AF85318F058A2DE4A89F350DB39D545CBC2
                                                                                                                                                  Function 62486564 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$freepthread_mutex_destroy
                                                                                                                                                  • String ID: $0Ib$$0Ib
                                                                                                                                                  • API String ID: 2672132264-2500569730
                                                                                                                                                  • Opcode ID: 65b08f52c04a23505dfde8ae2d889a61352856e3c996ceea97357631fb667888
                                                                                                                                                  • Instruction ID: 352133d7d5eb32f16512a2cc41c57b1c85b8be264bec4fe8fe1d3cd287de81b4
                                                                                                                                                  • Opcode Fuzzy Hash: 65b08f52c04a23505dfde8ae2d889a61352856e3c996ceea97357631fb667888
                                                                                                                                                  • Instruction Fuzzy Hash: 495183705257038FE741AF39C960B1BBBE1AF85718F118A2CD5A85B384EB39D546CBC2
                                                                                                                                                  Function 62481518 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 145COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetEvent.KERNEL32 ref: 62481598
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 62481624
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 62481635
                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 62481646
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseEventHandle
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 827626419-1775419244
                                                                                                                                                  • Opcode ID: 61a5dfdf60815d13568b059fa0b9ae81a95ac234d005eafda6131a6303b1a0ba
                                                                                                                                                  • Instruction ID: 673400d5c726d73f45a9bb55f1d3d5c9f3c3866edfd70427d7e5378f793ba48d
                                                                                                                                                  • Opcode Fuzzy Hash: 61a5dfdf60815d13568b059fa0b9ae81a95ac234d005eafda6131a6303b1a0ba
                                                                                                                                                  • Instruction Fuzzy Hash: 935150B05153018FE714AF29C8A0B5BBBE5BF85718F058A2DD8AC9B380DB39D545CBD2
                                                                                                                                                  Function 6248824C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 120COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: (0Ib$(0Ib
                                                                                                                                                  • API String ID: 4201588131-971630126
                                                                                                                                                  • Opcode ID: 969598b40544684028eb1185e9831a6f17668b699bd9478a677ef3f258275902
                                                                                                                                                  • Instruction ID: 473f21c6c0d5b7d11f2b679d65c8e1be0d15abefa976d31a49a1a277ab8fc27e
                                                                                                                                                  • Opcode Fuzzy Hash: 969598b40544684028eb1185e9831a6f17668b699bd9478a677ef3f258275902
                                                                                                                                                  • Instruction Fuzzy Hash: F04132705157068FD704AF7DC960B1BBBE1AF85358F118A2CE4A89B380DB79D946CBC2
                                                                                                                                                  Function 62483EA4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 120COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: $0Ib$$0Ib
                                                                                                                                                  • API String ID: 4201588131-2500569730
                                                                                                                                                  • Opcode ID: 547bc38663e883176ec4bc80dd70323e86afabceea9a91ac311d26d537a793ff
                                                                                                                                                  • Instruction ID: f5bc865a4b91a314ab61631d099cf50195cdd2f6efc5dfd0235bd7a4d5d48f73
                                                                                                                                                  • Opcode Fuzzy Hash: 547bc38663e883176ec4bc80dd70323e86afabceea9a91ac311d26d537a793ff
                                                                                                                                                  • Instruction Fuzzy Hash: E94140705197028FD704AF39C860B5BBBE4AF85318F018A2CE5A98B280DB79D546CBD2
                                                                                                                                                  Function 62488914 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 120COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: ,0Ib$,0Ib
                                                                                                                                                  • API String ID: 4201588131-3949404277
                                                                                                                                                  • Opcode ID: c57045d6f0405f880711823f4ad250034745a2831eedcf9279b4893ed41891e8
                                                                                                                                                  • Instruction ID: f0fe42eccbce01bda31c9763d676d694d12827658a4e3aed7b551a17b2c704cb
                                                                                                                                                  • Opcode Fuzzy Hash: c57045d6f0405f880711823f4ad250034745a2831eedcf9279b4893ed41891e8
                                                                                                                                                  • Instruction Fuzzy Hash: A34151706197068FD704AF38C864B1BBBE5AF85358F118A2CE4E89B380DB79D545CBC2
                                                                                                                                                  Function 6248A610 Relevance: 18.2, APIs: 12, Instructions: 152COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • free.MSVCRT ref: 6248A630
                                                                                                                                                  • pthread_setspecific.PTHREADGC2 ref: 6248A644
                                                                                                                                                    • Part of subcall function 6248554C: pthread_self.PTHREADGC2 ref: 62485563
                                                                                                                                                    • Part of subcall function 6248554C: SetEvent.KERNEL32 ref: 624855E2
                                                                                                                                                    • Part of subcall function 6248554C: SetEvent.KERNEL32 ref: 6248563E
                                                                                                                                                    • Part of subcall function 6248554C: calloc.MSVCRT ref: 6248568B
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248A68A
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248A6D9
                                                                                                                                                  • _setjmp.MSVCRT ref: 6248A6E8
                                                                                                                                                  • _endthreadex.MSVCRT ref: 6248A710
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$_endthreadex_setjmpcallocfreepthread_selfpthread_setspecific
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 806548757-0
                                                                                                                                                  • Opcode ID: f87e25bdc6cff4e3ee0a063e415998b0c739c2dea3969bf8ead056d6c9356350
                                                                                                                                                  • Instruction ID: 2d7551ab7d65c228da910d80f3b1a2b0480012fd727657f449c59f95fdb7ebf2
                                                                                                                                                  • Opcode Fuzzy Hash: f87e25bdc6cff4e3ee0a063e415998b0c739c2dea3969bf8ead056d6c9356350
                                                                                                                                                  • Instruction Fuzzy Hash: 91512A709117158FDB04EF78C8A0B9ABBF1AF88324F10862DD454AB380D778D985CB92
                                                                                                                                                  Function 62E864CC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • internal error: deflate stream corrupt, xrefs: 62E86654
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: deflate
                                                                                                                                                  • String ID: internal error: deflate stream corrupt
                                                                                                                                                  • API String ID: 3803212549-3609297558
                                                                                                                                                  • Opcode ID: 8b00f5b3e98fcee3e9ec667e9ffc8b91688d401acfe45acdf49123535fda8684
                                                                                                                                                  • Instruction ID: 7409c3537517f2f2d82267a7044ba181cb3e5d8f94344fc6b6a3aceb1d8cad71
                                                                                                                                                  • Opcode Fuzzy Hash: 8b00f5b3e98fcee3e9ec667e9ffc8b91688d401acfe45acdf49123535fda8684
                                                                                                                                                  • Instruction Fuzzy Hash: F55109B0A147428FCB14DF38C1E061A7BE0AF45358B21CABDEC999B399D738D841DB41
                                                                                                                                                  Function 6248A0E4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_cond_broadcast
                                                                                                                                                  • String ID: 0Ib
                                                                                                                                                  • API String ID: 1922247177-656040330
                                                                                                                                                  • Opcode ID: fb8c758732acc72b575d57a96eb9436728f63b9bad14cc8a0563ec36370ad54d
                                                                                                                                                  • Instruction ID: 009af99ccacc6292231ffab6fa452de951346c4b216856c61fc2fe727856fcd6
                                                                                                                                                  • Opcode Fuzzy Hash: fb8c758732acc72b575d57a96eb9436728f63b9bad14cc8a0563ec36370ad54d
                                                                                                                                                  • Instruction Fuzzy Hash: 84414F705197129FE345AF79C860B1BBBE0AF85358F11892CE4A88B380DBB9D545CBC3
                                                                                                                                                  Function 62482540 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 4201588131-1775419244
                                                                                                                                                  • Opcode ID: 8a9ecd915b93545e4c6ab9070af4010d42ba5651bcc3d0e93eed5065f9564b71
                                                                                                                                                  • Instruction ID: 10daa92af63fe4ebda6afb6f484f13fbf712bd8a8aee3c527c94f3e03fea91e4
                                                                                                                                                  • Opcode Fuzzy Hash: 8a9ecd915b93545e4c6ab9070af4010d42ba5651bcc3d0e93eed5065f9564b71
                                                                                                                                                  • Instruction Fuzzy Hash: C3413F706157428FD704EF39C960B1BBBE1AF85718F008A2DE8A89B640DB79D945CBD2
                                                                                                                                                  Function 62482DC8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 126COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 4201588131-1775419244
                                                                                                                                                  • Opcode ID: 431498be76d510e7ff107a026c38a00a260c88ffe98c7e0c16f1b03f5c0e4c07
                                                                                                                                                  • Instruction ID: 312b01e4fa08bde9aa6c8fbefaa759c000bfd85778b96f0e57d7aa60a5b74ad5
                                                                                                                                                  • Opcode Fuzzy Hash: 431498be76d510e7ff107a026c38a00a260c88ffe98c7e0c16f1b03f5c0e4c07
                                                                                                                                                  • Instruction Fuzzy Hash: 6F4130B15153418FD705EF29C864B1BBBE1BF85318F408A2DE8A88B744DB39D546CBD2
                                                                                                                                                  Function 62482BEC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 126COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 4201588131-1775419244
                                                                                                                                                  • Opcode ID: 2ccb42cfa1fd7e162ed1f138e23c6a1b99cdf93ad63440b4a1d09f37b80355fb
                                                                                                                                                  • Instruction ID: 24563704da45c8e6cbb7f66c7a013fb270b24eccebb48d46b0332d8f40cb8295
                                                                                                                                                  • Opcode Fuzzy Hash: 2ccb42cfa1fd7e162ed1f138e23c6a1b99cdf93ad63440b4a1d09f37b80355fb
                                                                                                                                                  • Instruction Fuzzy Hash: 85414D705153428FD705EF38C964B1BBBE1AF86318F118A2DE9988B740DB39D545CBD2
                                                                                                                                                  Function 62485014 Relevance: 16.7, APIs: 11, Instructions: 171COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6248552D), ref: 6248503C
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248509C
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 624850E9
                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 6248510D
                                                                                                                                                  • TlsSetValue.KERNEL32 ref: 6248517D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$Valuepthread_getspecific
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4215522435-0
                                                                                                                                                  • Opcode ID: c51424898ff13dbd1864671ff75c2629aaa541b025cf2ea47a64796043d1d622
                                                                                                                                                  • Instruction ID: a9c86c5936d5c1a53e8965a5ac2bc45a43bb6bafc8021625b74153ed1a90096f
                                                                                                                                                  • Opcode Fuzzy Hash: c51424898ff13dbd1864671ff75c2629aaa541b025cf2ea47a64796043d1d622
                                                                                                                                                  • Instruction Fuzzy Hash: C7611A746153018FD705AF39C460B1ABBE1BF85718F028A6DD8A98B341DB39D941CFD2
                                                                                                                                                  Function 62488ACC Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 62488B63
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4201588131-0
                                                                                                                                                  • Opcode ID: 0050d3310c4a507fe8ebaca03c5ee2483312844804f46ca9ffdeeafcb668bb3d
                                                                                                                                                  • Instruction ID: 196cf9c74c42857dddcffdc8e264a3e93f1df9ff12fbf8d109ef7115e79d3a28
                                                                                                                                                  • Opcode Fuzzy Hash: 0050d3310c4a507fe8ebaca03c5ee2483312844804f46ca9ffdeeafcb668bb3d
                                                                                                                                                  • Instruction Fuzzy Hash: EB514FB06157068FE705AF39C860B1BB7E1AFC5398F04892CE5988B344DB39D546CBD2
                                                                                                                                                  Function 6248BB1C Relevance: 16.7, APIs: 11, Instructions: 151synchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_self.PTHREADGC2 ref: 6248BB27
                                                                                                                                                    • Part of subcall function 624859C4: pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248BB87
                                                                                                                                                  • CreateEventA.KERNEL32 ref: 6248BBBE
                                                                                                                                                  • CloseHandle.KERNEL32 ref: 6248BBDD
                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 6248BC19
                                                                                                                                                  • ResetEvent.KERNEL32 ref: 6248BC3C
                                                                                                                                                  • SetEvent.KERNEL32 ref: 6248BC81
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$CloseCreateHandleObjectResetSingleWaitpthread_getspecificpthread_self
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 469051586-0
                                                                                                                                                  • Opcode ID: d909507c624697166554d5934a3d978bc523f8cf432f363acc6ae38cd401d231
                                                                                                                                                  • Instruction ID: 05ca00d8247925a0dcaa603370cd46df2af8dabc2b69a6ba73b61840a53433e1
                                                                                                                                                  • Opcode Fuzzy Hash: d909507c624697166554d5934a3d978bc523f8cf432f363acc6ae38cd401d231
                                                                                                                                                  • Instruction Fuzzy Hash: C5514DB05197028FE715AF39C860B1BBBE1AF85318F018A2DD4A8CB344DB79D546CB92
                                                                                                                                                  Function 6248386C Relevance: 16.6, APIs: 11, Instructions: 146threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • sched_get_priority_min.PTHREADGC2 ref: 62483882
                                                                                                                                                  • sched_get_priority_max.PTHREADGC2 ref: 6248389F
                                                                                                                                                  • SetEvent.KERNEL32 ref: 624838FF
                                                                                                                                                  • SetThreadPriority.KERNEL32 ref: 62483925
                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 6248396A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$PriorityThreadsched_get_priority_maxsched_get_priority_min
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3746687159-0
                                                                                                                                                  • Opcode ID: fbe8749b2fe631893ea311cd2ec7f44f313853df532e3f824f9d849359b7a1cd
                                                                                                                                                  • Instruction ID: b5876164b68b2af95b264b247175aa0458504a214cca22a27dd17237607192f8
                                                                                                                                                  • Opcode Fuzzy Hash: fbe8749b2fe631893ea311cd2ec7f44f313853df532e3f824f9d849359b7a1cd
                                                                                                                                                  • Instruction Fuzzy Hash: 2F514F705197028FD705AF39C4A4B5BBFE1AF85358F018A2DD8A89B380DB39D545CBD2
                                                                                                                                                  Function 62E85C04 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 135COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32$inflate
                                                                                                                                                  • String ID: compressed data error$incorrect data check$incorrect length check$internal error: inflate stream corrupt$out of memory$unexpected end of file
                                                                                                                                                  • API String ID: 939100155-4274367702
                                                                                                                                                  • Opcode ID: 6329e90b1799014abbcf4ddb67cfe1128b07b199997edf13930789a316b4ba66
                                                                                                                                                  • Instruction ID: f6d7fb18a85c4529b9037e4fd296b6da6d9ab2ac17fd8c2e465a0c1d906f2912
                                                                                                                                                  • Opcode Fuzzy Hash: 6329e90b1799014abbcf4ddb67cfe1128b07b199997edf13930789a316b4ba66
                                                                                                                                                  • Instruction Fuzzy Hash: CC51FBB05056018BC7109F38C59029A7BE4AF45768F32DB79E8EADB3D5EB38C441CB91
                                                                                                                                                  Function 62E863D8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$malloc$Init2_deflate
                                                                                                                                                  • String ID: 1.2.5$8$out of memory
                                                                                                                                                  • API String ID: 867007939-1222373650
                                                                                                                                                  • Opcode ID: 0315ac42e876d40d05f93404cd1db8c4f143f1f47c4d5ceeb2e0295bf5f41dc5
                                                                                                                                                  • Instruction ID: c7dbcca42130abea6c40b80f665fa7cd86052669b9a4737977c570d2bd6fb485
                                                                                                                                                  • Opcode Fuzzy Hash: 0315ac42e876d40d05f93404cd1db8c4f143f1f47c4d5ceeb2e0295bf5f41dc5
                                                                                                                                                  • Instruction Fuzzy Hash: 2921C2B09143019BDB44DF79C1D470A7BE5BF44308F209A7EE8988B35AE779D984CB92
                                                                                                                                                  Function 6248A8C0 Relevance: 15.1, APIs: 10, Instructions: 145COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$CloseCreateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 585692533-0
                                                                                                                                                  • Opcode ID: 006387165d5cfc1b13ade4fcfabc8c49c94df3f5710ea86fd58efcc7587482cc
                                                                                                                                                  • Instruction ID: 536b8b7eecc040316bb1490d2f8791fb3520a2b949b37b27cd12abebf6f6ca82
                                                                                                                                                  • Opcode Fuzzy Hash: 006387165d5cfc1b13ade4fcfabc8c49c94df3f5710ea86fd58efcc7587482cc
                                                                                                                                                  • Instruction Fuzzy Hash: 4F514EB06193128BD7059F39C860B1BBBE0AFC5368F05892DE4988B380DB79D546CBD3
                                                                                                                                                  Function 6248BFB0 Relevance: 15.1, APIs: 10, Instructions: 115COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_testcancel.PTHREADGC2 ref: 6248BFC9
                                                                                                                                                    • Part of subcall function 6248B5C8: pthread_self.PTHREADGC2 ref: 6248B3F3
                                                                                                                                                  • _ftime.MSVCRT ref: 6248C01E
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 6248C051
                                                                                                                                                  • _errno.MSVCRT ref: 6248C05E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno_ftimepthread_mutex_lockpthread_selfpthread_testcancel
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 5459094-0
                                                                                                                                                  • Opcode ID: 74c4ea886fec7087c555853deacd0745634a921544c4dc64630510011a0a63e1
                                                                                                                                                  • Instruction ID: cfc935541d3f1d0f89be00d6593470304cc0fa27a1a50027ed45eb544d79ff31
                                                                                                                                                  • Opcode Fuzzy Hash: 74c4ea886fec7087c555853deacd0745634a921544c4dc64630510011a0a63e1
                                                                                                                                                  • Instruction Fuzzy Hash: C64117715187058FC304DF69C4A0A0BBBF0EF86764F508A2EE5A48B291E739D985CF82
                                                                                                                                                  Function 62E811B0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: _Jv_RegisterClasses$__register_frame_info$libgcc_s_dw2-1.dll$libgcj_s.dll
                                                                                                                                                  • API String ID: 1646373207-3040197113
                                                                                                                                                  • Opcode ID: 0a9424c55ed9b5f829c031ba5c27a18308786787a832b7ba7b3e82926c329470
                                                                                                                                                  • Instruction ID: 1520accef79832f783cd20bba75bebc26024ee9836fc6e95846268a10e259262
                                                                                                                                                  • Opcode Fuzzy Hash: 0a9424c55ed9b5f829c031ba5c27a18308786787a832b7ba7b3e82926c329470
                                                                                                                                                  • Instruction Fuzzy Hash: 0AF062B09483414ADB00BBF9663232EB6A49F40609F60C87ED8FCCB240EA34C150DB63
                                                                                                                                                  Function 62481184 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: _Jv_RegisterClasses$__register_frame_info$libgcc_s_dw2-1.dll$libgcj-12.dll
                                                                                                                                                  • API String ID: 1646373207-874464504
                                                                                                                                                  • Opcode ID: 2a6a9bc78e64529146ab12478c4061a61d75a92cf3c6f2f9c848aa52bec0758d
                                                                                                                                                  • Instruction ID: 1c61528252c1406d4cf2b8bf18e0471a57e0159f19ba91548c8a38a94f659adc
                                                                                                                                                  • Opcode Fuzzy Hash: 2a6a9bc78e64529146ab12478c4061a61d75a92cf3c6f2f9c848aa52bec0758d
                                                                                                                                                  • Instruction Fuzzy Hash: DDF06D70A2A3019AE7017B798A31F2E7AE46F42649F41485EDCA886245DA38D180CBA3
                                                                                                                                                  Function 62487DB0 Relevance: 13.6, APIs: 9, Instructions: 64sleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62487DCB
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • CloseHandle.KERNEL32 ref: 62487DE2
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487DFB
                                                                                                                                                  • Sleep.KERNEL32 ref: 62487E07
                                                                                                                                                  • pthread_mutex_destroy.PTHREADGC2(00000000), ref: 62487E10
                                                                                                                                                    • Part of subcall function 624862D4: pthread_mutex_trylock.PTHREADGC2 ref: 624862F1
                                                                                                                                                    • Part of subcall function 624862D4: free.MSVCRT ref: 62486326
                                                                                                                                                    • Part of subcall function 624862D4: CloseHandle.KERNEL32 ref: 62486335
                                                                                                                                                  • free.MSVCRT ref: 62487E1D
                                                                                                                                                  • _errno.MSVCRT ref: 62487E31
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487E4B
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487E5B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_unlock$CloseHandlefree$ObjectSingleSleepWait_errnopthread_mutex_destroypthread_mutex_lockpthread_mutex_trylock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1765050713-0
                                                                                                                                                  • Opcode ID: 54cdd8695500c320e272304b0787b70abbc485f8a240291c35dd53958e754cf2
                                                                                                                                                  • Instruction ID: 1f2a4eb4f731e649fc86398aff19053bdef61e56f828baef3764c5bb707ad8d3
                                                                                                                                                  • Opcode Fuzzy Hash: 54cdd8695500c320e272304b0787b70abbc485f8a240291c35dd53958e754cf2
                                                                                                                                                  • Instruction Fuzzy Hash: EC11BF762286058AD7107F3CD8B0E7E7BE4AF42728F44052DD9A88F281D73DD8418BA2
                                                                                                                                                  Function 62E89BB5 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 227COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: incorrect header check$invalid window size$unknown compression method
                                                                                                                                                  • API String ID: 2947273566-1186847913
                                                                                                                                                  • Opcode ID: 57dc7270ef0b4fb978bed968b3a98e8255d0ad1cbe9ed4b5d875d09febdef2da
                                                                                                                                                  • Instruction ID: 941fa55b0a0353901e4074778b68a8a0a84c7c45d7d4afe1fb99b3f3076daa76
                                                                                                                                                  • Opcode Fuzzy Hash: 57dc7270ef0b4fb978bed968b3a98e8255d0ad1cbe9ed4b5d875d09febdef2da
                                                                                                                                                  • Instruction Fuzzy Hash: 07A11975E042058BDB04CF69C4A079DB7F1FF89318F24C16AE898AB745D379E985CB81
                                                                                                                                                  Function 62E8E280 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualQuery.KERNEL32 ref: 62E8E2B8
                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 62E8E2ED
                                                                                                                                                  • memcpy.MSVCRT ref: 62E8E300
                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 62E8E32D
                                                                                                                                                    • Part of subcall function 62E8E230: fwrite.MSVCRT ref: 62E8E263
                                                                                                                                                    • Part of subcall function 62E8E230: vfprintf.MSVCRT ref: 62E8E276
                                                                                                                                                    • Part of subcall function 62E8E230: abort.MSVCRT(?,?,?,?,?,?,62E8E352), ref: 62E8E27B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$Protect$Queryabortfwritememcpyvfprintf
                                                                                                                                                  • String ID: VirtualQuery failed for %d bytes at address %p$@$ab
                                                                                                                                                  • API String ID: 1199066469-274822748
                                                                                                                                                  • Opcode ID: 0824a50efb910899d306dedb866be40ef55a737763bf0c60ec91adb6255e1c41
                                                                                                                                                  • Instruction ID: ef802f27c982afb395bc2e1f88a501fb97280717af3e0fda46f192937daf6c27
                                                                                                                                                  • Opcode Fuzzy Hash: 0824a50efb910899d306dedb866be40ef55a737763bf0c60ec91adb6255e1c41
                                                                                                                                                  • Instruction Fuzzy Hash: A431D9B5D04709ABDB00DFA8C19069DFBF4BB49314F64C96EE8ACA3310D734AA418B52
                                                                                                                                                  Function 62489198 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55synchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 624891AF
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 624891C8
                                                                                                                                                  • _errno.MSVCRT ref: 624891E1
                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 62489206
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62489215
                                                                                                                                                  • _errno.MSVCRT ref: 6248921A
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ObjectSingleWait_errnopthread_mutex_unlock$pthread_mutex_lock
                                                                                                                                                  • String ID: 0Ib
                                                                                                                                                  • API String ID: 1429293333-656040330
                                                                                                                                                  • Opcode ID: 2a4fd14349df09ba281d914bcacd7e6ac7283ef163b78c5680cb7050787c8c7b
                                                                                                                                                  • Instruction ID: 7a293d9845beca4624def4cf49a97756571c2e85d3996d91e80856f225eb0f4a
                                                                                                                                                  • Opcode Fuzzy Hash: 2a4fd14349df09ba281d914bcacd7e6ac7283ef163b78c5680cb7050787c8c7b
                                                                                                                                                  • Instruction Fuzzy Hash: 92014931628A148BD7106F7C8C90D5A77E4EF41338F48466DECA88F380D739D441CBA1
                                                                                                                                                  Function 62E84DDC Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: freemalloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3061335427-0
                                                                                                                                                  • Opcode ID: ddc360ed980349e1b42d068add9228db81a34688485ad773b0f65ce5953cb7ac
                                                                                                                                                  • Instruction ID: 55a3ed1b0a9199103f681e3226e51f4db68a519058be425f2fc64b369145972e
                                                                                                                                                  • Opcode Fuzzy Hash: ddc360ed980349e1b42d068add9228db81a34688485ad773b0f65ce5953cb7ac
                                                                                                                                                  • Instruction Fuzzy Hash: 01515CB14482408BEB108F29C4A475A7BE9EF0231CF6195AFE8D88F395D77DC486CB91
                                                                                                                                                  Function 62483D78 Relevance: 12.1, APIs: 8, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$AffinityCurrentMaskcallocfreepthread_mutexattr_destroypthread_mutexattr_init
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3396887095-0
                                                                                                                                                  • Opcode ID: da02774de23d89b146b2d6677af070eab60048352343805545bc55827d280a36
                                                                                                                                                  • Instruction ID: c03f2f3e922f9d46b93b5dfee573b481d4c2900bbf3dd23521206eca711ebf3e
                                                                                                                                                  • Opcode Fuzzy Hash: da02774de23d89b146b2d6677af070eab60048352343805545bc55827d280a36
                                                                                                                                                  • Instruction Fuzzy Hash: 103121716197008BD704AF69D590B9ABFE4EBC4318F00893DED888B351E779D949CB92
                                                                                                                                                  Function 62488158 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_destroypthread_mutex_init$callocfreepthread_cond_init
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3621214785-0
                                                                                                                                                  • Opcode ID: ec5bef4da0a4cba5b495952cf0bc8961325c1ac324bc6e3ada07bd27c3c96e86
                                                                                                                                                  • Instruction ID: 50404560384b63285b1ddc13362130e087dcb06ec77ca5087ec99aabea213cd2
                                                                                                                                                  • Opcode Fuzzy Hash: ec5bef4da0a4cba5b495952cf0bc8961325c1ac324bc6e3ada07bd27c3c96e86
                                                                                                                                                  • Instruction Fuzzy Hash: F6218E712287198BE711AF79D864B5BB7E4AF80798F05082DD4888F340EB7DC944CBD2
                                                                                                                                                  Function 62E8DF5C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: inflate$Init_
                                                                                                                                                  • String ID: 1.2.5$8
                                                                                                                                                  • API String ID: 1809909112-3466090614
                                                                                                                                                  • Opcode ID: fa1e2a3c19419b2da421abe43be3bb83f8842a9b9a86e05968b84b93a400e217
                                                                                                                                                  • Instruction ID: 9d34bc0d892cf22a556c36a55c3321b23fc46b5f6cd7fb9c8d2b8c952d272233
                                                                                                                                                  • Opcode Fuzzy Hash: fa1e2a3c19419b2da421abe43be3bb83f8842a9b9a86e05968b84b93a400e217
                                                                                                                                                  • Instruction Fuzzy Hash: A01151B4A043158FCB10DF79C49078DBBF0EF44368F20812AF9A897380D7789545CB92
                                                                                                                                                  Function 62E81620 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: deflate$Init_
                                                                                                                                                  • String ID: 1.2.5$8
                                                                                                                                                  • API String ID: 1566556424-3466090614
                                                                                                                                                  • Opcode ID: 7ca432e55fd9da5f48acb89b59699b36d5f447cc1724ce9a6a8a830718f5ae4f
                                                                                                                                                  • Instruction ID: c357d08c67ef9a89f65b3888ab9b3bd0458c790a783a8e2350b95887148bd9b3
                                                                                                                                                  • Opcode Fuzzy Hash: 7ca432e55fd9da5f48acb89b59699b36d5f447cc1724ce9a6a8a830718f5ae4f
                                                                                                                                                  • Instruction Fuzzy Hash: CB112BB5A043159FCB00DFA8C89068EBBF0FF48758F148529F9A8AB340D7799905CB95
                                                                                                                                                  Function 62E816D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: deflate$Init_
                                                                                                                                                  • String ID: 1.2.5$8
                                                                                                                                                  • API String ID: 1566556424-3466090614
                                                                                                                                                  • Opcode ID: 6aa1fbb3dd6a0dcb7c6f8b0971100bab3856ea484926e79b0889eb65734d916f
                                                                                                                                                  • Instruction ID: e2efe5832cbbca7a7eb46289cbfa870a80fd74abf76f8924c9dae7482bd5d918
                                                                                                                                                  • Opcode Fuzzy Hash: 6aa1fbb3dd6a0dcb7c6f8b0971100bab3856ea484926e79b0889eb65734d916f
                                                                                                                                                  • Instruction Fuzzy Hash: A3113DB5A047159FCB00DFA8C89078EBBF0FF49768F20852DE9A89B340E7799505CB95
                                                                                                                                                  Function 62E89553 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 388COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • invalid literal/lengths set, xrefs: 62E8AC58
                                                                                                                                                  • invalid code -- missing end-of-block, xrefs: 62E8AC70
                                                                                                                                                  • invalid literal/length code, xrefs: 62E8AD1C
                                                                                                                                                  • invalid distances set, xrefs: 62E8AC40
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: invalid code -- missing end-of-block$invalid distances set$invalid literal/length code$invalid literal/lengths set
                                                                                                                                                  • API String ID: 2947273566-1716664648
                                                                                                                                                  • Opcode ID: 8c62d92617386be552b07a6704953bc79d239cac3738bd858d3a14cb47e02eee
                                                                                                                                                  • Instruction ID: 4b8f2c44db96610f255233766cb11cd5cd4a961a2d2cdd76a04fc67db75caeea
                                                                                                                                                  • Opcode Fuzzy Hash: 8c62d92617386be552b07a6704953bc79d239cac3738bd858d3a14cb47e02eee
                                                                                                                                                  • Instruction Fuzzy Hash: 3C02E475D042198FCB14CFA9C4A069DFBF1BF49314F24C16AE898AB351D379A985CF81
                                                                                                                                                  Function 6248A000 Relevance: 9.1, APIs: 6, Instructions: 81COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 6248A024
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 6248A04E
                                                                                                                                                  • sem_post_multiple.PTHREADGC2 ref: 6248A063
                                                                                                                                                  • _errno.MSVCRT ref: 6248A06C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ObjectSingleWait_errnopthread_mutex_lockpthread_mutex_unlocksem_post_multiple
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3229830424-0
                                                                                                                                                  • Opcode ID: 004b0a202de4e3a029b80d7530bead62efdd82038f3348ef962ed402a199235f
                                                                                                                                                  • Instruction ID: 0cf57abceff938b29e0dec53e0a02d87dc7cec3a4dff54b8d74a205e97e88f5e
                                                                                                                                                  • Opcode Fuzzy Hash: 004b0a202de4e3a029b80d7530bead62efdd82038f3348ef962ed402a199235f
                                                                                                                                                  • Instruction Fuzzy Hash: 2F2157712243258BDB009F2888E0B5A77E4AF4A358F4441ADD8548F385E7BAD945DFA3
                                                                                                                                                  Function 62489B1C Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62489B3F
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62489B61
                                                                                                                                                  • sem_post_multiple.PTHREADGC2 ref: 62489B7A
                                                                                                                                                  • _errno.MSVCRT ref: 62489B83
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ObjectSingleWait_errnopthread_mutex_lockpthread_mutex_unlocksem_post_multiple
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3229830424-0
                                                                                                                                                  • Opcode ID: bdf0696f625c77d7ec223198afa49835394e831821e880cb23b5ccc194854b7e
                                                                                                                                                  • Instruction ID: 6e249da5fe5393d84f3acde19bdbaed46f888da55134c05398365e249f023941
                                                                                                                                                  • Opcode Fuzzy Hash: bdf0696f625c77d7ec223198afa49835394e831821e880cb23b5ccc194854b7e
                                                                                                                                                  • Instruction Fuzzy Hash: 31216D71628A118BEB019F38C8E0E5A77E4BF41358F4485ADCC948F345E73AD981DB92
                                                                                                                                                  Function 62487AF0 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62487B13
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487B48
                                                                                                                                                  • _errno.MSVCRT ref: 62487B5D
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487B74
                                                                                                                                                  • ReleaseSemaphore.KERNEL32 ref: 62487B98
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487BBB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_unlock$ObjectReleaseSemaphoreSingleWait_errnopthread_mutex_lock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3268020351-0
                                                                                                                                                  • Opcode ID: 91ca6bfd74da2f2c87d94b7fd11edf2f7a55ed5991958a0f6b0e2f789b72d0c4
                                                                                                                                                  • Instruction ID: eeb53f323481d54401beb26203cb96d2d4befce3eaf0db09278ee3cf308f93cc
                                                                                                                                                  • Opcode Fuzzy Hash: 91ca6bfd74da2f2c87d94b7fd11edf2f7a55ed5991958a0f6b0e2f789b72d0c4
                                                                                                                                                  • Instruction Fuzzy Hash: 7321533932C7058BD714EF39C8F0A1AB7E5AF86368F10562DD9648F380D738D8468B92
                                                                                                                                                  Function 62489C8C Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62489CA7
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62489CC8
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62489CD9
                                                                                                                                                  • sem_post.PTHREADGC2 ref: 62489CFE
                                                                                                                                                  • _errno.MSVCRT ref: 62489D07
                                                                                                                                                  • sem_post.PTHREADGC2 ref: 62489D37
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_locksem_post$ObjectSingleWait_errnopthread_mutex_unlock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3860541548-0
                                                                                                                                                  • Opcode ID: 02f7d385cd3bef33bfb6848a194454e3509d51fc437b1403ea8b52e2fbb023df
                                                                                                                                                  • Instruction ID: 751d1e3366f89a3300d9fef04956b077be6aa83517ec03232611fe9e15de695e
                                                                                                                                                  • Opcode Fuzzy Hash: 02f7d385cd3bef33bfb6848a194454e3509d51fc437b1403ea8b52e2fbb023df
                                                                                                                                                  • Instruction Fuzzy Hash: F221E574518B01CFC700DF25C5E0A5ABBE4AF89348B14C96DDD958B305E33AE586CB92
                                                                                                                                                  Function 62E86780 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$_closedeflate
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4255144732-0
                                                                                                                                                  • Opcode ID: a4934ba4cd7cdf4555f2c14d2c3098ae8cbf53bfe442ab90beb2520ac2676dc5
                                                                                                                                                  • Instruction ID: 8a5e13ef65859c16978f68a852bf346a9b92cf4f4057dc546f77c6fb2d175a12
                                                                                                                                                  • Opcode Fuzzy Hash: a4934ba4cd7cdf4555f2c14d2c3098ae8cbf53bfe442ab90beb2520ac2676dc5
                                                                                                                                                  • Instruction Fuzzy Hash: B2118FB5A142519BDB00AF78C8D464A7BE4AF04358F259D7DE98C8F305E73AD844CBD1
                                                                                                                                                  Function 62487BC8 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62487BDF
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487C03
                                                                                                                                                  • _errno.MSVCRT ref: 62487C19
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487C30
                                                                                                                                                  • ReleaseSemaphore.KERNEL32 ref: 62487C4E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487C66
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_unlock$ObjectReleaseSemaphoreSingleWait_errnopthread_mutex_lock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3268020351-0
                                                                                                                                                  • Opcode ID: 94d9388abac63eaea1cc1425e1e7c59fe4976f0fa0d830b769d0df9032cb666f
                                                                                                                                                  • Instruction ID: 0912ed0ac1612cbeebf0b1a2632ba4f39efb66b5993e88b6f14087e60a95d8d6
                                                                                                                                                  • Opcode Fuzzy Hash: 94d9388abac63eaea1cc1425e1e7c59fe4976f0fa0d830b769d0df9032cb666f
                                                                                                                                                  • Instruction Fuzzy Hash: 06119E743282058BE750AF3DC4B0F4A76E4AF42368F51052DDAA88F381D739C485CBA2
                                                                                                                                                  Function 62486768 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • calloc.MSVCRT ref: 6248678C
                                                                                                                                                  • pthread_mutex_init.PTHREADGC2 ref: 624867A7
                                                                                                                                                    • Part of subcall function 62482FA0: calloc.MSVCRT ref: 62482FD8
                                                                                                                                                    • Part of subcall function 62482FA0: CreateEventA.KERNEL32 ref: 62483037
                                                                                                                                                  • free.MSVCRT ref: 624867B3
                                                                                                                                                  • _errno.MSVCRT ref: 624867C5
                                                                                                                                                  • CreateSemaphoreA.KERNEL32 ref: 62486807
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Createcalloc$EventSemaphore_errnofreepthread_mutex_init
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2823924184-0
                                                                                                                                                  • Opcode ID: 5368a0484c97c699839448fb7fad81d2d7523f17f39baea261bcaec6595b6344
                                                                                                                                                  • Instruction ID: ab41e06fe66bf51a6269878019794aa549e59f4ee285e0bc982b829d79a050c9
                                                                                                                                                  • Opcode Fuzzy Hash: 5368a0484c97c699839448fb7fad81d2d7523f17f39baea261bcaec6595b6344
                                                                                                                                                  • Instruction Fuzzy Hash: 9F114FB01297428BE340AF39D4A0F4ABBE4AF45718F414A6DD8984B381E77DC984CBD2
                                                                                                                                                  Function 62487D2C Relevance: 9.0, APIs: 6, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62487D43
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487D60
                                                                                                                                                  • _errno.MSVCRT ref: 62487D75
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487D87
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487D96
                                                                                                                                                  • _errno.MSVCRT ref: 62487D9B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_unlock$_errno$ObjectSingleWaitpthread_mutex_lock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 343774353-0
                                                                                                                                                  • Opcode ID: bb0c5e95f759443f18a852f167f8a68b7134e4402f8e90802713411ab000dfb9
                                                                                                                                                  • Instruction ID: 5c686b06efbd3e7ad38d1418568144dc5a89cc7ce8a2fa5610caeff6ef25bdd3
                                                                                                                                                  • Opcode Fuzzy Hash: bb0c5e95f759443f18a852f167f8a68b7134e4402f8e90802713411ab000dfb9
                                                                                                                                                  • Instruction Fuzzy Hash: DA018F753286458BD750AF3C88A0E6676E4AF423A8F55056DE8688F3D1EB3CD441CBA2
                                                                                                                                                  Function 62E8530C Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$_close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3165389682-0
                                                                                                                                                  • Opcode ID: af059f53bfab33505e401f41de6552891e8dd7dfe260d3f629492ec4ac87afc1
                                                                                                                                                  • Instruction ID: 160ff0f32e9bc87e785e62aff389192a6e5eb00d61ba20ee5a0ecb24eae180ad
                                                                                                                                                  • Opcode Fuzzy Hash: af059f53bfab33505e401f41de6552891e8dd7dfe260d3f629492ec4ac87afc1
                                                                                                                                                  • Instruction Fuzzy Hash: D4014CB09087009BDB00AF38C4E465EBBE4EF01358F569D7DE8C98B345E779D8448B91
                                                                                                                                                  Function 6BC52B5F Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __init_pointers.LIBCMT ref: 6BC52B5F
                                                                                                                                                    • Part of subcall function 6BC53C86: EncodePointer.KERNEL32(00000000,00000001,6BC52B64,6BC52328,6BC6E248,00000008,6BC524EE,?,00000001,?,6BC6E268,0000000C,6BC5248D,?,00000001,?), ref: 6BC53C89
                                                                                                                                                    • Part of subcall function 6BC53C86: __initp_misc_winsig.LIBCMT ref: 6BC53CAA
                                                                                                                                                    • Part of subcall function 6BC53C86: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BC5718E
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6BC571A2
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6BC571B5
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6BC571C8
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6BC571DB
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6BC571EE
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6BC57201
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6BC57214
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6BC57227
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6BC5723A
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6BC5724D
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6BC57260
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6BC57273
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6BC57286
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6BC57299
                                                                                                                                                    • Part of subcall function 6BC53C86: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 6BC572AC
                                                                                                                                                  • __mtinitlocks.LIBCMT ref: 6BC52B64
                                                                                                                                                    • Part of subcall function 6BC5791A: InitializeCriticalSectionAndSpinCount.KERNEL32(6BC6FF30,00000FA0,?,00000001,6BC52B69,6BC52328,6BC6E248,00000008,6BC524EE,?,00000001,?,6BC6E268,0000000C,6BC5248D,?), ref: 6BC57938
                                                                                                                                                  • __mtterm.LIBCMT ref: 6BC52B6D
                                                                                                                                                    • Part of subcall function 6BC52BD5: DeleteCriticalSection.KERNEL32(?,?,?,?,6BC523F3,6BC523D9,6BC6E248,00000008,6BC524EE,?,00000001,?,6BC6E268,0000000C,6BC5248D,?), ref: 6BC57836
                                                                                                                                                    • Part of subcall function 6BC52BD5: _free.LIBCMT ref: 6BC5783D
                                                                                                                                                    • Part of subcall function 6BC52BD5: DeleteCriticalSection.KERNEL32(6BC6FF30,?,?,6BC523F3,6BC523D9,6BC6E248,00000008,6BC524EE,?,00000001,?,6BC6E268,0000000C,6BC5248D,?,00000001), ref: 6BC5785F
                                                                                                                                                  • __calloc_crt.LIBCMT ref: 6BC52B92
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6BC52BBB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$CriticalSection$Delete$CountCurrentEncodeHandleInitializeModulePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2930087205-0
                                                                                                                                                  • Opcode ID: de2719a22c158b7931a63f617a29554b4e964459578dd7925d17171a97c773ec
                                                                                                                                                  • Instruction ID: d5d325868aadd7f1662c15b69795a92be240bf98410a4e69bcaa7052fa579607
                                                                                                                                                  • Opcode Fuzzy Hash: de2719a22c158b7931a63f617a29554b4e964459578dd7925d17171a97c773ec
                                                                                                                                                  • Instruction Fuzzy Hash: 6CF0F0332392521DE2243E746822A8B2AD4CF01238F20466EE4A2DD0C0FF1CC7B042AC
                                                                                                                                                  Function 62483BE0 Relevance: 9.0, APIs: 6, Instructions: 40COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$CloseCurrentHandleOpen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2750122171-0
                                                                                                                                                  • Opcode ID: c1fcd7bd7ab2f25389089149eb784afca9c50725c689cee58fca9348804c1656
                                                                                                                                                  • Instruction ID: ae4d7c052e25bd282b889815f45a2f8fd85fffda5d99fa73a144c9943f91f659
                                                                                                                                                  • Opcode Fuzzy Hash: c1fcd7bd7ab2f25389089149eb784afca9c50725c689cee58fca9348804c1656
                                                                                                                                                  • Instruction Fuzzy Hash: 73F068B0629301CADB107F7D84A5F5A7AE46F0575CF80565EEC54CB282EB3DC984C752
                                                                                                                                                  Function 62E89801 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: incorrect data check$incorrect length check
                                                                                                                                                  • API String ID: 2947273566-170994517
                                                                                                                                                  • Opcode ID: 9a6373a2dd88d93dcf448920684c522c8deccbfc060399cad25c55581f3f1963
                                                                                                                                                  • Instruction ID: 70e7c29451de6695e873c9dc313817eea4516100233e55ffa2c5821c56bce0fe
                                                                                                                                                  • Opcode Fuzzy Hash: 9a6373a2dd88d93dcf448920684c522c8deccbfc060399cad25c55581f3f1963
                                                                                                                                                  • Instruction Fuzzy Hash: 6DA11C75E002199FDB04CFA8D59069DF7F2BF89318F25C169E858AB345D378E982CB80
                                                                                                                                                  Function 6248CDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • @, xrefs: 6248CDF8
                                                                                                                                                  • VirtualQuery failed for %d bytes at address %p, xrefs: 6248CE78
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$Protect$Query
                                                                                                                                                  • String ID: VirtualQuery failed for %d bytes at address %p$@
                                                                                                                                                  • API String ID: 3618607426-709786108
                                                                                                                                                  • Opcode ID: 3535b8eecc28fd789f9e604bc0d9278115e5cea7124c0b6604ef54f6e19b3003
                                                                                                                                                  • Instruction ID: 82a6f78d64b2ea053938f93a62a5791c8660329faaf86ef685fe132c40891215
                                                                                                                                                  • Opcode Fuzzy Hash: 3535b8eecc28fd789f9e604bc0d9278115e5cea7124c0b6604ef54f6e19b3003
                                                                                                                                                  • Instruction Fuzzy Hash: 56312DB5D152089FDB04EFA9E4919DEFBF4EB88258F00852EE858E3350E335D940CB92
                                                                                                                                                  Function 62E8997B Relevance: 7.8, APIs: 5, Instructions: 346COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2947273566-0
                                                                                                                                                  • Opcode ID: 274d402638a11a853ca8fe09caaeaa5f210151aa81707fc5d458484df5fea087
                                                                                                                                                  • Instruction ID: 0dd4f34f4fd303bb361b4fe4f0f464aa07be77880cb2470da16a0d6ef7f4540f
                                                                                                                                                  • Opcode Fuzzy Hash: 274d402638a11a853ca8fe09caaeaa5f210151aa81707fc5d458484df5fea087
                                                                                                                                                  • Instruction Fuzzy Hash: 7FE11975E042159FCB04CFA8D49069DFBF2BF89314F25C16AE898AB345D339E942CB91
                                                                                                                                                  Function 624860F8 Relevance: 7.6, APIs: 5, Instructions: 113COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_equalpthread_self$Event
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2888742973-0
                                                                                                                                                  • Opcode ID: ea30a8af798378eed405a452b5080392133deee9a42f152d28ae5ec645788012
                                                                                                                                                  • Instruction ID: d757fe6912fff80dfe02d2f7d50fbd0a55a01bdb25e3bb9bab7edcad2b5bd322
                                                                                                                                                  • Opcode Fuzzy Hash: ea30a8af798378eed405a452b5080392133deee9a42f152d28ae5ec645788012
                                                                                                                                                  • Instruction Fuzzy Hash: 61412E74A346028FDB82DF29D4A0B26B7E0EF84354F14C969D858CB34BD639D541CB91
                                                                                                                                                  Function 6BC597B1 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _malloc.LIBCMT ref: 6BC597BD
                                                                                                                                                    • Part of subcall function 6BC51A38: __FF_MSGBANNER.LIBCMT ref: 6BC51A4F
                                                                                                                                                    • Part of subcall function 6BC51A38: __NMSG_WRITE.LIBCMT ref: 6BC51A56
                                                                                                                                                    • Part of subcall function 6BC51A38: HeapAlloc.KERNEL32(00900000,00000000,00000001,00000000,?,00000000,?,6BC57451,?,?,?,?,?,6BC578B4,00000018,6BC6E538), ref: 6BC51A7B
                                                                                                                                                  • _free.LIBCMT ref: 6BC597D0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocHeap_free_malloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2734353464-0
                                                                                                                                                  • Opcode ID: 5342e39267751c971878e82cbbc4ac8d241149dcea695f583e45f8901231cd40
                                                                                                                                                  • Instruction ID: 2e1c5455af4426b44c08dd41def219bce01f7ab0b1ce0516ea04f23ffabe7fb8
                                                                                                                                                  • Opcode Fuzzy Hash: 5342e39267751c971878e82cbbc4ac8d241149dcea695f583e45f8901231cd40
                                                                                                                                                  • Instruction Fuzzy Hash: CE11EB738252119FCF151FB9980468937E8AF05364F1040A6E9489A152FFBDC77082BC
                                                                                                                                                  Function 62489BF8 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62489C35
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62489C4E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_lockpthread_mutex_unlock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3887897452-0
                                                                                                                                                  • Opcode ID: 9e179671e8e8507e57c94dbf67b1ec35332b27422c1fe8f3cd31f2d3e35853c9
                                                                                                                                                  • Instruction ID: b4d7fdb01edce8e4d13813977ab174c56d11737cae7a6bfc93e689e450ef5424
                                                                                                                                                  • Opcode Fuzzy Hash: 9e179671e8e8507e57c94dbf67b1ec35332b27422c1fe8f3cd31f2d3e35853c9
                                                                                                                                                  • Instruction Fuzzy Hash: 93118E31628A11CBDB50AF3888E0E5A76E0EE42394B058A6CCE659F345E73FC98187D5
                                                                                                                                                  Function 62E92750 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InterlockedExchange.KERNEL32 ref: 62E9279B
                                                                                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,62E928A9,?,00000000,?,?,?,?,?,62E8F56A), ref: 62E927AE
                                                                                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,62E928A9,?,00000000), ref: 62E927BD
                                                                                                                                                    • Part of subcall function 62E81030: __dllonexit.MSVCRT ref: 62E8104C
                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,62E928A9,?,00000000,?,?,?,?,?,62E8F56A), ref: 62E927E8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$Initialize$EnterExchangeInterlocked__dllonexit
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3890555841-0
                                                                                                                                                  • Opcode ID: b5ec3e1168a080fb18bfb390a9c230624c41d9f0d75ef1bd0ffd1c7c9c3af3fc
                                                                                                                                                  • Instruction ID: 3954937a00dee6ca7a11cd5329a941a3a87a51a2f10728bdea63c367cc8d4d64
                                                                                                                                                  • Opcode Fuzzy Hash: b5ec3e1168a080fb18bfb390a9c230624c41d9f0d75ef1bd0ffd1c7c9c3af3fc
                                                                                                                                                  • Instruction Fuzzy Hash: 790161F0C4420847DF00FB75C56A65976A4AB52308FB0883FD85597A10E7329198CB53
                                                                                                                                                  Function 62483C64 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$CloseCurrentHandleOpen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2750122171-0
                                                                                                                                                  • Opcode ID: 00ce8ff9b0e8c66370956f6f24c6d1a522d4a38aa2e33bdba4de23640f243aaf
                                                                                                                                                  • Instruction ID: 2bdbcedd7680bd6bd353cfcfc731e1db6234b95e1adf3e0d3e38071b80a0908e
                                                                                                                                                  • Opcode Fuzzy Hash: 00ce8ff9b0e8c66370956f6f24c6d1a522d4a38aa2e33bdba4de23640f243aaf
                                                                                                                                                  • Instruction Fuzzy Hash: 35F05EA15253018BCB007FB888E4F6A7AE46B0535CF914A6EDE94C7282EB7DC59486D2
                                                                                                                                                  Function 624854F0 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_win32_thread_detach_np.PTHREADGC2 ref: 624854FE
                                                                                                                                                  • pthread_win32_process_detach_np.PTHREADGC2 ref: 62485503
                                                                                                                                                  • pthread_win32_process_attach_np.PTHREADGC2 ref: 62485534
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_win32_process_attach_nppthread_win32_process_detach_nppthread_win32_thread_detach_np
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2138137557-0
                                                                                                                                                  • Opcode ID: dbfafcfc23c132e08395203645443e26e916211365f4c4235ea158f912d22c50
                                                                                                                                                  • Instruction ID: 93aeacb84ae257dc880be4cadc6da14c647561608ef26398b0fb90e903465e32
                                                                                                                                                  • Opcode Fuzzy Hash: dbfafcfc23c132e08395203645443e26e916211365f4c4235ea158f912d22c50
                                                                                                                                                  • Instruction Fuzzy Hash: 0FE0BFBA87000082C611E7647462F2DB38267B270CFD65429CD1B89314F60AC76CC5F3
                                                                                                                                                  Function 62E89392 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 460COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: @$invalid distance code$invalid distance too far back
                                                                                                                                                  • API String ID: 2947273566-2524391019
                                                                                                                                                  • Opcode ID: 6382c4bd052844d8dbf9d64fe65519c575dd65f4e6fb7731efeda8d7b65aea69
                                                                                                                                                  • Instruction ID: f4015e5727e46ee5faea61a346ca968a2afd6a40c3a4bbab2129ba28ecd3e603
                                                                                                                                                  • Opcode Fuzzy Hash: 6382c4bd052844d8dbf9d64fe65519c575dd65f4e6fb7731efeda8d7b65aea69
                                                                                                                                                  • Instruction Fuzzy Hash: C9124D35E446298FCB14CFA8D4A06DCFBF2BF89314B25C169D898AB345D775AD42CB80
                                                                                                                                                  Function 62E89AEE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • unknown compression method, xrefs: 62E8AA5A
                                                                                                                                                  • unknown header flags set, xrefs: 62E8AB27
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: unknown compression method$unknown header flags set
                                                                                                                                                  • API String ID: 2947273566-1514342171
                                                                                                                                                  • Opcode ID: 59aa3717f22dda6edca92f761e8d9bce3569f0a3add75c50a2fb5f08f46b78e4
                                                                                                                                                  • Instruction ID: 9ef0602027505ee63f14ff38bfd11187ad865a203ebf7c15134b6a9a63c6a6ed
                                                                                                                                                  • Opcode Fuzzy Hash: 59aa3717f22dda6edca92f761e8d9bce3569f0a3add75c50a2fb5f08f46b78e4
                                                                                                                                                  • Instruction Fuzzy Hash: B8610B75E042199FDB04CFA8D49069DF7F1BF89318F24C16AD898AB345D378E982CB91
                                                                                                                                                  Function 6248ADCC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID: 40Ib$40Ib
                                                                                                                                                  • API String ID: 4201588131-1775419244
                                                                                                                                                  • Opcode ID: 85d1af6ceb764df5cbda5c2fb746c8ee4c6e843a3467accb50ba4995df578008
                                                                                                                                                  • Instruction ID: e9de998c65b3f8d0724c9333e9d326e25e339d3cc772641f3eb2a764929bffc3
                                                                                                                                                  • Opcode Fuzzy Hash: 85d1af6ceb764df5cbda5c2fb746c8ee4c6e843a3467accb50ba4995df578008
                                                                                                                                                  • Instruction Fuzzy Hash: EF218471A057118BD705DF29C860B57BBE5BFC4728F058A2CE9985B384D778CA05CBC2
                                                                                                                                                  Function 62486830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: callocsem_init
                                                                                                                                                  • String ID: $
                                                                                                                                                  • API String ID: 3535707587-3993045852
                                                                                                                                                  • Opcode ID: 6a48cf2474009a993734a59f1213ca1165232f5ea712e496eb33f0ba5427dc5f
                                                                                                                                                  • Instruction ID: aa03c5e3d0aed764b2e472a65aa8af7cc9a6eb9d76b5623a41e58625d1ba8e5d
                                                                                                                                                  • Opcode Fuzzy Hash: 6a48cf2474009a993734a59f1213ca1165232f5ea712e496eb33f0ba5427dc5f
                                                                                                                                                  • Instruction Fuzzy Hash: 8F11097193A356DBE7809F28C554B4A7BE4EF45744F00442EE85C8B340E779D544CB92
                                                                                                                                                  Function 62E8E230 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryfileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$Protect$Queryabortfwritememcpyvfprintf
                                                                                                                                                  • String ID: ab
                                                                                                                                                  • API String ID: 1199066469-1032453237
                                                                                                                                                  • Opcode ID: 807d9bf50d9527caeb01ed81e10fe2ca7b1d171c58672be88f70f0f94e13e325
                                                                                                                                                  • Instruction ID: 00c6001e63f5fe0c07958d44b7f81aa6befaa1e04fec57921c0a30ac6ad08cbb
                                                                                                                                                  • Opcode Fuzzy Hash: 807d9bf50d9527caeb01ed81e10fe2ca7b1d171c58672be88f70f0f94e13e325
                                                                                                                                                  • Instruction Fuzzy Hash: 05019AB5D04318ABCB00DF9AC59158DFBF4AB48754F51C4AEA89CA7301D7706A408B96
                                                                                                                                                  Function 62E8123C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: __deregister_frame_info$libgcc_s_dw2-1.dll
                                                                                                                                                  • API String ID: 1646373207-2468945734
                                                                                                                                                  • Opcode ID: 2af05dc328b16632f5a276b4284edcc08d59bebb02df066ef000efd0ac755beb
                                                                                                                                                  • Instruction ID: d19c67d781cfa977b0abff07f7ff6a4127c1c942feba612d96e57728910d831c
                                                                                                                                                  • Opcode Fuzzy Hash: 2af05dc328b16632f5a276b4284edcc08d59bebb02df066ef000efd0ac755beb
                                                                                                                                                  • Instruction Fuzzy Hash: 68E0ECB0D4C30186DB007BB84A3231AB6945F41649FA0C97DD8ECDA240EA34C550DBA3
                                                                                                                                                  Function 62481210 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: __deregister_frame_info$libgcc_s_dw2-1.dll
                                                                                                                                                  • API String ID: 1646373207-2468945734
                                                                                                                                                  • Opcode ID: 60ec1ff93264b5cb21374382ed051ee1b8ee46deab1b5e1f4b00cfef9ff05276
                                                                                                                                                  • Instruction ID: d967d2725b550c3576d6391534d3f75e778204873df279c466e6d53fa62730c8
                                                                                                                                                  • Opcode Fuzzy Hash: 60ec1ff93264b5cb21374382ed051ee1b8ee46deab1b5e1f4b00cfef9ff05276
                                                                                                                                                  • Instruction Fuzzy Hash: CEE0127052930196D7043BB98A32F1E7AE45F5270DF41456DCCACDA641DA3CD550CEA3
                                                                                                                                                  Function 62E91F90 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • MultiByteToWideChar.KERNEL32 ref: 62E9201D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharMultiWide
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 626452242-0
                                                                                                                                                  • Opcode ID: be64d06f747a94108f9c39fd63644a07c2cf84a0a53d75ed5f629bff19d13eda
                                                                                                                                                  • Instruction ID: b9ba0388fa14da6dad618d5988fd3d01a2f40129fb213af227550b61a41b63b6
                                                                                                                                                  • Opcode Fuzzy Hash: be64d06f747a94108f9c39fd63644a07c2cf84a0a53d75ed5f629bff19d13eda
                                                                                                                                                  • Instruction Fuzzy Hash: EB3106B09083419FD7009F29C05431AFBE1AF8A318F64C96EE4E88B791D7BAD585CB42
                                                                                                                                                  Function 62482FA0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateEventcalloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2382962142-0
                                                                                                                                                  • Opcode ID: fe9b94f03c507b62961a22114731d2cca6af25826c83a340401ff82988b4f688
                                                                                                                                                  • Instruction ID: 8d8438d77b22b45abeceb773f761cbafb17b6cafe787b34b5a1d2613cc2ecaf0
                                                                                                                                                  • Opcode Fuzzy Hash: fe9b94f03c507b62961a22114731d2cca6af25826c83a340401ff82988b4f688
                                                                                                                                                  • Instruction Fuzzy Hash: 65213971915300CEE7009F28D4A4B56BBE0EF41718F1585ADD8588F39AD77EC984DF92
                                                                                                                                                  Function 62E84C80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: freemallocstrcpy
                                                                                                                                                  • String ID: out of memory
                                                                                                                                                  • API String ID: 3657993821-2599737071
                                                                                                                                                  • Opcode ID: a6788211505ed41240f3cc180a98e73de7ebd5873fbbbe4eb788649ddfafb583
                                                                                                                                                  • Instruction ID: cc4a44eeca078f3f5c00fa488ea11859dbe9b26f4b5dca285a50a591e43a1707
                                                                                                                                                  • Opcode Fuzzy Hash: a6788211505ed41240f3cc180a98e73de7ebd5873fbbbe4eb788649ddfafb583
                                                                                                                                                  • Instruction Fuzzy Hash: A4218E75A002508BCB149F3DC49054A7BA5EF81278B25C7AAEC688F3DAE735D901CB90
                                                                                                                                                  Function 62483AF8 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_kill.PTHREADGC2 ref: 62483B1A
                                                                                                                                                    • Part of subcall function 62482540: SetEvent.KERNEL32 ref: 6248259C
                                                                                                                                                    • Part of subcall function 62482540: SetEvent.KERNEL32(00000000), ref: 624825F0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event$pthread_kill
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1525206388-0
                                                                                                                                                  • Opcode ID: cca885924b5ae6e422f33d72afe8e60ae0c738d96302968453513f15b071addc
                                                                                                                                                  • Instruction ID: 9344bf7d3d3f45a76108e8ae8e02f19abc5ae749bc44e44966a7a780464d8b43
                                                                                                                                                  • Opcode Fuzzy Hash: cca885924b5ae6e422f33d72afe8e60ae0c738d96302968453513f15b071addc
                                                                                                                                                  • Instruction Fuzzy Hash: 492150B16187048BC310AF68D4A0B8EFBE1EF84354F00492FE89887711E77DE949CB92
                                                                                                                                                  Function 624812A4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000016,?,?,62483BCC), ref: 624812D4
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4201588131-0
                                                                                                                                                  • Opcode ID: 1cb04a85dd655daaec69490169899d9918cd4867747e3c8c0427672940556042
                                                                                                                                                  • Instruction ID: 84949fac7fc8a36b0714193aee40776c256820cfe6d3d29deb4c626d6a1e3a5e
                                                                                                                                                  • Opcode Fuzzy Hash: 1cb04a85dd655daaec69490169899d9918cd4867747e3c8c0427672940556042
                                                                                                                                                  • Instruction Fuzzy Hash: 6C1142705153028FE704AF39C864B27B7E1AF85324F15C92DD4A88B284DB39D586CBD2
                                                                                                                                                  Function 62481400 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Event
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4201588131-0
                                                                                                                                                  • Opcode ID: 5d1cc87b1f2619927d9f60c97b80fdb450b3eebf96142e7e5a163d2f2b17b9c4
                                                                                                                                                  • Instruction ID: 2ca1326a880d9e1a5486ca75b1f177029b01c7706cfccee94dd1b4bb81b54b17
                                                                                                                                                  • Opcode Fuzzy Hash: 5d1cc87b1f2619927d9f60c97b80fdb450b3eebf96142e7e5a163d2f2b17b9c4
                                                                                                                                                  • Instruction Fuzzy Hash: EC1130715153118BD701AF38D9A4B2BBBE0EF81B28F05865DD8AC4B385DB39C545CBD2
                                                                                                                                                  Function 6BC52FC0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ___BuildCatchObject.LIBCMT ref: 6BC52FD7
                                                                                                                                                    • Part of subcall function 6BC535E8: ___BuildCatchObjectHelper.LIBCMT ref: 6BC5361A
                                                                                                                                                    • Part of subcall function 6BC535E8: ___AdjustPointer.LIBCMT ref: 6BC53631
                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 6BC52FEE
                                                                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 6BC53000
                                                                                                                                                  • CallCatchBlock.LIBCMT ref: 6BC53024
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772694379.000000006BC04000.00000080.00000001.01000000.0000001D.sdmp, Offset: 6BC00000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772566060.000000006BC00000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772649678.000000006BC01000.00000040.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773185176.000000006BC6F000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773235468.000000006BC73000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1773277104.000000006BC74000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_6bc00000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2901542994-0
                                                                                                                                                  • Opcode ID: d9c8505a87c2078492c87fb45d0f4c4105242122976364879d9aae7867d988f7
                                                                                                                                                  • Instruction ID: 02be67611e275a7c18bb0cc2398a4878b35da2db31771bcd85bdf9e38d701932
                                                                                                                                                  • Opcode Fuzzy Hash: d9c8505a87c2078492c87fb45d0f4c4105242122976364879d9aae7867d988f7
                                                                                                                                                  • Instruction Fuzzy Hash: B1011773010108BBCF129FA9DC05ECA3BBABF88754F014155F918A5120E33AE5B1DBA4
                                                                                                                                                  Function 62487A80 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_mutex_lock.PTHREADGC2 ref: 62487AA7
                                                                                                                                                    • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487AC1
                                                                                                                                                  • pthread_mutex_unlock.PTHREADGC2 ref: 62487AD6
                                                                                                                                                  • _errno.MSVCRT ref: 62487ADC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: pthread_mutex_unlock$ObjectSingleWait_errnopthread_mutex_lock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 215466170-0
                                                                                                                                                  • Opcode ID: 6cecc9a5d7bced40b67a93a305527345e7b2ab13807582126a7517349632aba6
                                                                                                                                                  • Instruction ID: 4814f442e33adf94ce8d312c1e1185aa42f4c75f55570ca3394199fd13036c9d
                                                                                                                                                  • Opcode Fuzzy Hash: 6cecc9a5d7bced40b67a93a305527345e7b2ab13807582126a7517349632aba6
                                                                                                                                                  • Instruction Fuzzy Hash: 75018B392293058FD704DF6988E0E6B7BE4EFC6354F05892CD8A84F340C779DA008B82
                                                                                                                                                  Function 62E8FEB3 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32stringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: strlenwcslen
                                                                                                                                                  • String ID: (null)$(null)
                                                                                                                                                  • API String ID: 803329031-1601437019
                                                                                                                                                  • Opcode ID: 4913ce2f320ebb0549890763b8fa6489269299a8b9d71eb9ea2c852bf4ecbde1
                                                                                                                                                  • Instruction ID: 635195b0ada917927a36bfc059720cfaac79592eabb7390625485e81ea74c318
                                                                                                                                                  • Opcode Fuzzy Hash: 4913ce2f320ebb0549890763b8fa6489269299a8b9d71eb9ea2c852bf4ecbde1
                                                                                                                                                  • Instruction Fuzzy Hash: 43F03675E485504BC7219A2890B022A77925EC2314BB9D83EECE90B344EB3ED843DB42
                                                                                                                                                  Function 62E85010 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: freemallocsprintf
                                                                                                                                                  • String ID: <fd:%d>
                                                                                                                                                  • API String ID: 887708770-558891604
                                                                                                                                                  • Opcode ID: 4bded4b9b3875408d02228b130eaedb50823f9ee2c60baa8a696f78d842d05ff
                                                                                                                                                  • Instruction ID: 5c4feb52ea3f02cf216a44b082b1f74230004a51ba4a59a00141a3649e306bc8
                                                                                                                                                  • Opcode Fuzzy Hash: 4bded4b9b3875408d02228b130eaedb50823f9ee2c60baa8a696f78d842d05ff
                                                                                                                                                  • Instruction Fuzzy Hash: C5F05470E143056BDB006FB9D4A019EBBE4AF45364F61D97EE8ED97380DB78D9408781
                                                                                                                                                  Function 6248AAD8 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,00000000), ref: 6248AAE8
                                                                                                                                                    • Part of subcall function 62484FD8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FE5
                                                                                                                                                    • Part of subcall function 62484FD8: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FF1
                                                                                                                                                    • Part of subcall function 62484FD8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,62485041), ref: 62484FFE
                                                                                                                                                  • exit.MSVCRT ref: 6248AB03
                                                                                                                                                  • _endthreadex.MSVCRT ref: 6248AB23
                                                                                                                                                  • longjmp.MSVCRT ref: 6248AB4A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$Value_endthreadexexitlongjmppthread_getspecific
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 396027996-0
                                                                                                                                                  • Opcode ID: 9fb777ef3ce833196eddc44ebfa98496b922aef84efd352003a00c9ed8a328c5
                                                                                                                                                  • Instruction ID: 99688872579fabfb7fc20515069e84be96d638804d98358316ab959e85379aab
                                                                                                                                                  • Opcode Fuzzy Hash: 9fb777ef3ce833196eddc44ebfa98496b922aef84efd352003a00c9ed8a328c5
                                                                                                                                                  • Instruction Fuzzy Hash: B5F0F6B08193008FC700EF35C494A1DBBE1AF46308F41591DD9944B395C3B9D489CF82
                                                                                                                                                  Function 62E89C9F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • too many length or distance symbols, xrefs: 62E8A9B1
                                                                                                                                                  • invalid code lengths set, xrefs: 62E8AB72
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: invalid code lengths set$too many length or distance symbols
                                                                                                                                                  • API String ID: 2947273566-2975660856
                                                                                                                                                  • Opcode ID: c2e9089ffb6f315c9d30aa2cd025f19a67555420b5fbd0b031a28bcd39b5b65f
                                                                                                                                                  • Instruction ID: 311207fce6e88cc2a1db5c06ead795eab4917e121b3dc5cf4d6ed19da708d3eb
                                                                                                                                                  • Opcode Fuzzy Hash: c2e9089ffb6f315c9d30aa2cd025f19a67555420b5fbd0b031a28bcd39b5b65f
                                                                                                                                                  • Instruction Fuzzy Hash: 54A13775E042199BDB04CFA9D49069DF7F1FF89318F24C16AE888AB355D378A981CF81
                                                                                                                                                  Function 62E8905D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: invalid block type
                                                                                                                                                  • API String ID: 2947273566-1830746294
                                                                                                                                                  • Opcode ID: 59bdd6ca45b0aa0090bcfbfe41ff55f98eaf94bb4b542a4efc0b63bb8b378044
                                                                                                                                                  • Instruction ID: 3295062f5dde310f5636d65f1ec35b96ed74629fd08cf1f79eab2ec8271d30eb
                                                                                                                                                  • Opcode Fuzzy Hash: 59bdd6ca45b0aa0090bcfbfe41ff55f98eaf94bb4b542a4efc0b63bb8b378044
                                                                                                                                                  • Instruction Fuzzy Hash: 1C810675A44209DBCB04CFA9C4A069DB7B1FF49358B24C16AD898AB345D339E982CF91
                                                                                                                                                  Function 62E8A118 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: header crc mismatch
                                                                                                                                                  • API String ID: 2947273566-1313727592
                                                                                                                                                  • Opcode ID: 018e59e15aa6e2336e0997ff4f64e40f70860181e566562edfc7115f02e88393
                                                                                                                                                  • Instruction ID: a01bd160c1fb0f939d7810cc6d1330e15664bc33bee7a95c6d5572cb854eeb17
                                                                                                                                                  • Opcode Fuzzy Hash: 018e59e15aa6e2336e0997ff4f64e40f70860181e566562edfc7115f02e88393
                                                                                                                                                  • Instruction Fuzzy Hash: 14714C75E442058FDB04CF68D49069DF7B2BF49358F34C16AE898AB345D339E982CB91
                                                                                                                                                  Function 62E8A098 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: crc32
                                                                                                                                                  • String ID: header crc mismatch
                                                                                                                                                  • API String ID: 2947273566-1313727592
                                                                                                                                                  • Opcode ID: c3565ef74f0b3bee6c75b2001dac9d3bcdbd94bb8e8f9689cec14ec29bbcd97a
                                                                                                                                                  • Instruction ID: beca173bf11b9b78fbdf1b730865f436c2408ec299ace271a8524671360df65b
                                                                                                                                                  • Opcode Fuzzy Hash: c3565ef74f0b3bee6c75b2001dac9d3bcdbd94bb8e8f9689cec14ec29bbcd97a
                                                                                                                                                  • Instruction Fuzzy Hash: E2611875E002099FDB04CF69D49069DB7F2BF88358F24C16AE858AB345D379E982CB81
                                                                                                                                                  Function 62E8290C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8dPb$dPb
                                                                                                                                                  • API String ID: 0-2040359314
                                                                                                                                                  • Opcode ID: 71242c0eba6a71534164effd7f2a4a62ee84c3301eec19164f18f91740489dcc
                                                                                                                                                  • Instruction ID: 5660c40a58727b4baae394a332ff00dbc969ee4e0c8cdfb865c9e24968efdd64
                                                                                                                                                  • Opcode Fuzzy Hash: 71242c0eba6a71534164effd7f2a4a62ee84c3301eec19164f18f91740489dcc
                                                                                                                                                  • Instruction Fuzzy Hash: 865109B4504B429FDB10CF28C598385BBE0FF18328F258669D89C8BB95D779E494CF81
                                                                                                                                                  Function 6248D1D0 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$EnterLeavefree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4020351045-0
                                                                                                                                                  • Opcode ID: b19effc21153126c41d13688b4af2623874b2ad4fc79623f004b4549b5b8e445
                                                                                                                                                  • Instruction ID: f1ec7cb7deadbef1e17ecafad7cdce0f9c1ebfb260ccd2c869b979e3727b9da6
                                                                                                                                                  • Opcode Fuzzy Hash: b19effc21153126c41d13688b4af2623874b2ad4fc79623f004b4549b5b8e445
                                                                                                                                                  • Instruction Fuzzy Hash: A5014070B25205DF8B04EFB8D4A1E1ABBF5AF46308B14896E984CCB305E734DD81CB52
                                                                                                                                                  Function 62E8E6E0 Relevance: 5.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$EnterLeavefree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4020351045-0
                                                                                                                                                  • Opcode ID: 11746a6a527303b8efd60029336c3dda17896735f817a7a2687bf2ce6ac027eb
                                                                                                                                                  • Instruction ID: 0155175c9fb7cb9bea99746a20f5fe7cb1130d1ef3ace2207ec1e516fce1448c
                                                                                                                                                  • Opcode Fuzzy Hash: 11746a6a527303b8efd60029336c3dda17896735f817a7a2687bf2ce6ac027eb
                                                                                                                                                  • Instruction Fuzzy Hash: C6015B74B04304CF8B00EF78C2A694EB7E1AB81348B38C47EE59D87314E631E885C752
                                                                                                                                                  Function 6248D0F0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D10F
                                                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D125
                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D12D
                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D150
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1771801708.0000000062481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 62480000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1771763229.0000000062480000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771881124.000000006248F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771930715.0000000062494000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771965646.0000000062495000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1771998747.0000000062498000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.0000000062499000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772036245.000000006249B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62480000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 682475483-0
                                                                                                                                                  • Opcode ID: 98b6f7aa4ac330f3e5b19130bfacf9953b8a43b77346e6f2206bbd47adee2663
                                                                                                                                                  • Instruction ID: d9e5e088027a723fef4f9c1f46e7f733cbd0434417b6046f22189faa1ab97506
                                                                                                                                                  • Opcode Fuzzy Hash: 98b6f7aa4ac330f3e5b19130bfacf9953b8a43b77346e6f2206bbd47adee2663
                                                                                                                                                  • Instruction Fuzzy Hash: 1EF0AF71A16210DB8F00BFB9D8E1EAABBE8EE4971CF00045EDD4897205E734D9408AE2
                                                                                                                                                  Function 62E8E5D0 Relevance: 5.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E5EF
                                                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E606
                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E610
                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E633
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000F.00000002.1772170375.0000000062E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62E80000, based on PE: true
                                                                                                                                                  • Associated: 0000000F.00000002.1772130830.0000000062E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772298207.0000000062E95000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772380944.0000000062E9C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772423793.0000000062E9D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772485868.0000000062EA0000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 0000000F.00000002.1772524406.0000000062EA1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_15_2_62e80000_Coolmuster PDF Image Extractor.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 682475483-0
                                                                                                                                                  • Opcode ID: 44abea60224ae81af183f1106712b24b10f5ffda6adc061e4308eaf9403e578a
                                                                                                                                                  • Instruction ID: d4502ed7beb07bd4002f05f736ff239b097c20329b2b311a15df780a750e76bc
                                                                                                                                                  • Opcode Fuzzy Hash: 44abea60224ae81af183f1106712b24b10f5ffda6adc061e4308eaf9403e578a
                                                                                                                                                  • Instruction Fuzzy Hash: 85F06271D047108B9B10FFB895A269EB7A4AE4035CF24847EEDAC87605EB30E558C693

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:4.7%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                  Signature Coverage:35.7%
                                                                                                                                                  Total number of Nodes:14
                                                                                                                                                  Total number of Limit Nodes:1
                                                                                                                                                  execution_graph 5465 7ffec7f02f0b 5466 7ffec7f02f38 5465->5466 5469 7ffec7f02bd0 5466->5469 5468 7ffec7f02f73 5470 7ffec7f02bd5 5469->5470 5471 7ffec7f1d0c3 GetSystemInfo 5470->5471 5472 7ffec7f1d030 5470->5472 5473 7ffec7f1d0fe 5471->5473 5472->5468 5473->5468 5461 7ffec7f083a2 5462 7ffec7f1c560 ComputeAccessTokenFromCodeAuthzLevel 5461->5462 5464 7ffec7f1c60e 5462->5464 5457 7ffec7f07b71 5458 7ffec7f07b7f GetFileAttributesW 5457->5458 5460 7ffec7f07c26 5458->5460

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 00007FFEC7F02BD0 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2549269015.00007FFEC7F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC7F00000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec7f00000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoSystem
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 31276548-0
                                                                                                                                                  • Opcode ID: 9684cd8fd468f98cc56278d7e87cfba18097fbbc71e568939896e370baf809e6
                                                                                                                                                  • Instruction ID: 84b5af61d13fa6b43b900808b5a04f88c5c95de2349bdbf9ae699f78c6d4b467
                                                                                                                                                  • Opcode Fuzzy Hash: 9684cd8fd468f98cc56278d7e87cfba18097fbbc71e568939896e370baf809e6
                                                                                                                                                  • Instruction Fuzzy Hash: 93412A3190CA8C4FEB58EB2898866F97BF0EF55324F04423EF04DD3192DB65A456CB91
                                                                                                                                                  Function 00007FFEC7F083A2 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2549269015.00007FFEC7F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC7F00000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec7f00000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AccessAuthzCodeComputeFromLevelToken
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 132034935-0
                                                                                                                                                  • Opcode ID: 5dd163f8eb1bc85172541b3a09b187804d00470b304c0798d7e70e5f3d1e256a
                                                                                                                                                  • Instruction ID: 9aa9577fde21301a9efb906dbf14f9278346d862cfe999966da29ebcfe35c900
                                                                                                                                                  • Opcode Fuzzy Hash: 5dd163f8eb1bc85172541b3a09b187804d00470b304c0798d7e70e5f3d1e256a
                                                                                                                                                  • Instruction Fuzzy Hash: 0131A471918A1C8FDB58DF9CD8456F977E1FBA9721F00423EE04AE3252DB74A816CB81
                                                                                                                                                  Function 00007FFEC7F07B71 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2549269015.00007FFEC7F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC7F00000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec7f00000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                  • Opcode ID: edb024033775ae73845c27d670484b225c1215ad2aaaf623e31350b61490e2c5
                                                                                                                                                  • Instruction ID: f5dad99d0e27570f527e37d54c9bebcbb9adb9ced05a02a9452d48417459653d
                                                                                                                                                  • Opcode Fuzzy Hash: edb024033775ae73845c27d670484b225c1215ad2aaaf623e31350b61490e2c5
                                                                                                                                                  • Instruction Fuzzy Hash: 4531A27190CA8C8FDB59DF6C88896E9BFF0EF66321F04426FD049D3252DB606815CB91
                                                                                                                                                  Function 00007FFEC7F06E92 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2549269015.00007FFEC7F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC7F00000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec7f00000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                  • Opcode ID: 5e4371f57cc4252a6a9470d168a9a0be28ab236c15a9b040aa180d6094ab8775
                                                                                                                                                  • Instruction ID: e41a69cf8b919116b28e2269e6353fa0f748e355769282214505f868f324f79c
                                                                                                                                                  • Opcode Fuzzy Hash: 5e4371f57cc4252a6a9470d168a9a0be28ab236c15a9b040aa180d6094ab8775
                                                                                                                                                  • Instruction Fuzzy Hash: 5E216171908A1C9FDB58DF58C849AF9BBE1FF69321F00822FD00AD3651DB70A8168B91
                                                                                                                                                  Function 00007FFEC851610C Relevance: .1, Instructions: 137COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 178 7ffec851610c-7ffec8516113 179 7ffec851611e-7ffec85161ad 178->179 180 7ffec8516115-7ffec851611d 178->180 183 7ffec85161af-7ffec85161b4 179->183 184 7ffec85161b7-7ffec85161ee 179->184 180->179 183->184 185 7ffec85161f5-7ffec8516202 184->185 186 7ffec8516204 185->186 187 7ffec851620a-7ffec8516229 185->187 186->187
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c38e60d276f1caaf78dec36b9a3651316622b3c5f21530c00ed5368c13de8dc1
                                                                                                                                                  • Instruction ID: 18182e4539918ed6db7c6620bce5749dfd8e80cd1532342339fa63a0b8fab8f3
                                                                                                                                                  • Opcode Fuzzy Hash: c38e60d276f1caaf78dec36b9a3651316622b3c5f21530c00ed5368c13de8dc1
                                                                                                                                                  • Instruction Fuzzy Hash: 2541C67180CB488FDB18DF58D8466E9BBF0EF59311F04426FE049D3252CB746845CB92
                                                                                                                                                  Function 00007FFEC8516315 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6b0a0798bf6437fa180757c74f0d30072b898bb0c87b754719e04278a6aa415a
                                                                                                                                                  • Instruction ID: be37c82941fc2184378c768198cc92f6cf7c8c586eb2f4ed03c9c555967dd5c4
                                                                                                                                                  • Opcode Fuzzy Hash: 6b0a0798bf6437fa180757c74f0d30072b898bb0c87b754719e04278a6aa415a
                                                                                                                                                  • Instruction Fuzzy Hash: 9111A92271CE0B5FFB88DA19E484BB1A3C2EB55350F4441B5E04DC36D2DE99ED81C784
                                                                                                                                                  Function 00007FFEC8515965 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 08cdfa201d5111012af357fed8d0641b5d7f615bfdb891512c67007c122659e7
                                                                                                                                                  • Instruction ID: 469d49ff6511bd8c7d40275b6d88a692611b85108c096856c0a11ba06c63b629
                                                                                                                                                  • Opcode Fuzzy Hash: 08cdfa201d5111012af357fed8d0641b5d7f615bfdb891512c67007c122659e7
                                                                                                                                                  • Instruction Fuzzy Hash: A9112B11609F881FE799DA2484D57623BE5EF9A310F4941BDE04DCB2D7DE5CAC45C311
                                                                                                                                                  Function 00007FFEC8515A9D Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 97f3e370b84ca195fd35e44132bdfc5361affb283be2b6712672f1be58b9a2a4
                                                                                                                                                  • Instruction ID: c7b4118c904d164ceb8178de85ade80507ba3359352eb87bf7f1a094d3139dba
                                                                                                                                                  • Opcode Fuzzy Hash: 97f3e370b84ca195fd35e44132bdfc5361affb283be2b6712672f1be58b9a2a4
                                                                                                                                                  • Instruction Fuzzy Hash: 9AF0A736B5CA540BE21CA96C74521BAB3C1FB8A621F60417EE84EC21D6DD5E68434185
                                                                                                                                                  Function 00007FFEC851774A Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc11f8a20165f40fb2f79a7fce3c2ad6c02b4c1ff8c7b3fa54961606b89642a4
                                                                                                                                                  • Instruction ID: 9491c614322ff01ba3ccef2650c07e5ed9b447cc105db2c10e1715d82396bd1b
                                                                                                                                                  • Opcode Fuzzy Hash: cc11f8a20165f40fb2f79a7fce3c2ad6c02b4c1ff8c7b3fa54961606b89642a4
                                                                                                                                                  • Instruction Fuzzy Hash: A4E04F11B1CE0B1FFA949B1E949577261C3FB9C340F4540B4A80CD3BCADE58EC404285
                                                                                                                                                  Function 00007FFEC8515B48 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9c7ba892fb913e3f2aa504d74a82d54b8e30bf31b91341c41947a4547ce66dd0
                                                                                                                                                  • Instruction ID: e13e5d5a1a3d05a0a8cc11d653d5e6fb82febfd83ed0dbcef2bc202ae98a58bd
                                                                                                                                                  • Opcode Fuzzy Hash: 9c7ba892fb913e3f2aa504d74a82d54b8e30bf31b91341c41947a4547ce66dd0
                                                                                                                                                  • Instruction Fuzzy Hash: 03E07D3271C6460CF6040A1C74612F567C0DF51331F8011BEF0C6471DADC8F2682C189
                                                                                                                                                  Function 00007FFEC8515A64 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9001f00b50824edf2da62f48f9007ae8d85b9aaf74301eeb249253ab8dd182f3
                                                                                                                                                  • Instruction ID: 91d2879d93319411215d04ffcb0a3e13cbfc370162b9082700eafc6b9a9fe3f3
                                                                                                                                                  • Opcode Fuzzy Hash: 9001f00b50824edf2da62f48f9007ae8d85b9aaf74301eeb249253ab8dd182f3
                                                                                                                                                  • Instruction Fuzzy Hash: DEE01220725D056B964EA72D556517D71C2EFD8201B94413CF05ED32DADE2CA8428145
                                                                                                                                                  Function 00007FFEC8515BAE Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2568776707.00007FFEC8510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8510000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ca9fb05bae4600b0fc0e1da53d09fb8cdeba5f69e1f28a03502ea8fbc0e9c404
                                                                                                                                                  • Instruction ID: 315ea0b466cfd4cdf4dd6a26628df97f6a1436ea81ef239f2e26ae90113d4820
                                                                                                                                                  • Opcode Fuzzy Hash: ca9fb05bae4600b0fc0e1da53d09fb8cdeba5f69e1f28a03502ea8fbc0e9c404
                                                                                                                                                  • Instruction Fuzzy Hash: 74E0C21075DB4E0DF6946A2878A13F466C1DF40319F441577F159C45EAEE9E65888205
                                                                                                                                                  Function 00007FFEC88536E4 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2578590560.00007FFEC8850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8850000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8850000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4cff53ecaaccc7b09a6ac4119b2a56d210828427b8fdd4d881ac9153e6d39853
                                                                                                                                                  • Instruction ID: 874d9ec04d3d58031c3f23166b792d9fa91b6c407f69ec1f8ffe3795326c04bb
                                                                                                                                                  • Opcode Fuzzy Hash: 4cff53ecaaccc7b09a6ac4119b2a56d210828427b8fdd4d881ac9153e6d39853
                                                                                                                                                  • Instruction Fuzzy Hash: E8D0A710B0D99C2B9655E67D21235AE6DC38F89940B5802EEE4CBD36C7CC0859068389
                                                                                                                                                  Function 00007FFEC885615B Relevance: .0, Instructions: 17COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.2578590560.00007FFEC8850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8850000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_7ffec8850000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 92c4af0cf0a758d0b24cc4cd32954bdd9e51c3ba769030fdd52ba2f5d1fb26c0
                                                                                                                                                  • Instruction ID: a6be1510ffb4fcc92ec30c057c79dcff460d21f3c64c5aaaaf71925d7dbd2fc1
                                                                                                                                                  • Opcode Fuzzy Hash: 92c4af0cf0a758d0b24cc4cd32954bdd9e51c3ba769030fdd52ba2f5d1fb26c0
                                                                                                                                                  • Instruction Fuzzy Hash: 3CD02210B2880F0B8AA4EB3CEC518E9E3D5EFC83603540725E02CC3389DA18A8930BC1