Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Archive.zip

Overview

General Information

Sample name:Archive.zip
Analysis ID:1541179
MD5:c60cd0df4975d745722d1776d5be95b5
SHA1:f8e2eb05478108eae1f8fa28f70ebb64163d032d
SHA256:f1ed181ee30a70c0f71aacf7c592be0e6589421bc479e379109c4c3f572bb663
Infos:

Detection

Score:34
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Accesses ntoskrnl, likely to find offsets for exploits
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 7060 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • pdf_editor_setup_Downloadly.ir.exe (PID: 1316 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" MD5: 427D86902D064DCBDE0EB4F2D7FD601A)
    • pdf_editor_setup_Downloadly.ir.tmp (PID: 2200 cmdline: "C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$601F8,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" MD5: 4BE9718959029220FC534542CB891006)
      • pdf_editor_setup_Downloadly.ir.exe (PID: 2884 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$602C2 /NOTIFYWND=$601F8 MD5: 427D86902D064DCBDE0EB4F2D7FD601A)
        • pdf_editor_setup_Downloadly.ir.tmp (PID: 3024 cmdline: "C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$70300,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$602C2 /NOTIFYWND=$601F8 MD5: 4BE9718959029220FC534542CB891006)
          • chrome.exe (PID: 6380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 6184 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1952,i,74056811706744733,4401257274020997871,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • Patch.exe (PID: 1904 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe" MD5: 8E8EB38C6438BAA41A5867B6F465926F)
  • Patch.exe (PID: 2268 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe" MD5: 8E8EB38C6438BAA41A5867B6F465926F)
    • chrome.exe (PID: 3644 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 5144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,7196489178614102710,14503791149393765188,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • Patch.exe (PID: 6588 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe" MD5: 8E8EB38C6438BAA41A5867B6F465926F)
  • Patch.exe (PID: 2452 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe" MD5: 8E8EB38C6438BAA41A5867B6F465926F)
  • icepdfeditor.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe" MD5: 6700C9E3B5ADB8292F5FF09D1C38C920)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    Process Memory Space: Patch.exe PID: 2268JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      20.2.Patch.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results
        Source: is-NULG8.tmp.14.drBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_833af754-6

        Exploits

        barindex
        Accesses ntoskrnl, likely to find offsets for exploits
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeFile opened: C:\Windows\System32\ntkrnlmp.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.IMPORTANT: THIS SOFTWARE END USER LICENSE AGREEMENT ("EULA") IS A LEGAL AGREEMENT BETWEEN YOU AND ICECREAM APPS LIMITED ("ICECREAMAPPS.COM"). USE OF THE SOFTWARE PROVIDED WITH THIS EULA (THE "SOFTWARE") CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS. READ IT CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL AND/OR USE THIS SOFTWARE. BY INSTALLING COPYING OR OTHERWISE USING THE SOFTWARE PRODUCT YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. 1. LICENSE GRANT. The Software is licensed on per user basis not per computer site or company. This license is not transferable to any other system or to another organization or individual. You are not allowed to remove any proprietary notices or labels from the SOFTWARE. The PRO license can be used on ONE computer belonging to ONE user. The PRO license applies to the version of the program on which it is activated.2. WARRANTY DISCLAIMER. THIS SOFTWARE AND ANY RELATED DOCUMENTATION is PROVIDED "AS IS" AND COMES WITHOUT ANY WARRANTY EITHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OR MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. THE USE AND PERFORMANCE OF THIS SOFTWARE ARE SOLELY AT YOUR OWN RISK.3. FREE USE. You may install and use the SOFTWARE free of charge for personal educational (non-profit) use. In these cases you are granted the right to use and to make an unlimited number of copies of this software. Some features of the SOFTWARE may be limited or unavailable in free version of the SOFTWARE. To enable all the features you need to upgrade the SOFTWARE to PRO version. Full list of limited features is presented on Upgrade page of the SOFTWARE at icecreamapps.com.4. COMMERCIAL USE. For usage in corporate or commercial environment you will need to upgrade the SOFTWARE to PRO version by obtaining an activation key at icecreamapps.com. 5. REVERSE ENGINEERING. You agree that you will not attempt to reverse compile modify translate or disassemble the Software in whole or in part. 6. COPYRIGHT. The SOFTWARE is intellectual property of Icecream Apps Ltd and is protected by law. You acknowledge that all intellectual property rights in the SOFTWARE anywhere in the world belong to Icecream Apps Ltd that rights in the SOFTWARE are licensed (not sold) to you and that you have no rights in or to the SOFTWARE other than the right to use them in accordance with the terms of this License. You are not allowed to resell charge for rent lease loan sublicense or assign the SOFTWARE or any copy thereof including any related documentation.7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ICECREAM APPS LTD BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (IN
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.IMPORTANT: THIS SOFTWARE END USER LICENSE AGREEMENT ("EULA") IS A LEGAL AGREEMENT BETWEEN YOU AND ICECREAM APPS LIMITED ("ICECREAMAPPS.COM"). USE OF THE SOFTWARE PROVIDED WITH THIS EULA (THE "SOFTWARE") CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS. READ IT CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL AND/OR USE THIS SOFTWARE. BY INSTALLING COPYING OR OTHERWISE USING THE SOFTWARE PRODUCT YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. 1. LICENSE GRANT. The Software is licensed on per user basis not per computer site or company. This license is not transferable to any other system or to another organization or individual. You are not allowed to remove any proprietary notices or labels from the SOFTWARE. The PRO license can be used on ONE computer belonging to ONE user. The PRO license applies to the version of the program on which it is activated.2. WARRANTY DISCLAIMER. THIS SOFTWARE AND ANY RELATED DOCUMENTATION is PROVIDED "AS IS" AND COMES WITHOUT ANY WARRANTY EITHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OR MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. THE USE AND PERFORMANCE OF THIS SOFTWARE ARE SOLELY AT YOUR OWN RISK.3. FREE USE. You may install and use the SOFTWARE free of charge for personal educational (non-profit) use. In these cases you are granted the right to use and to make an unlimited number of copies of this software. Some features of the SOFTWARE may be limited or unavailable in free version of the SOFTWARE. To enable all the features you need to upgrade the SOFTWARE to PRO version. Full list of limited features is presented on Upgrade page of the SOFTWARE at icecreamapps.com.4. COMMERCIAL USE. For usage in corporate or commercial environment you will need to upgrade the SOFTWARE to PRO version by obtaining an activation key at icecreamapps.com. 5. REVERSE ENGINEERING. You agree that you will not attempt to reverse compile modify translate or disassemble the Software in whole or in part. 6. COPYRIGHT. The SOFTWARE is intellectual property of Icecream Apps Ltd and is protected by law. You acknowledge that all intellectual property rights in the SOFTWARE anywhere in the world belong to Icecream Apps Ltd that rights in the SOFTWARE are licensed (not sold) to you and that you have no rights in or to the SOFTWARE other than the right to use them in accordance with the terms of this License. You are not allowed to resell charge for rent lease loan sublicense or assign the SOFTWARE or any copy thereof including any related documentation.7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ICECREAM APPS LTD BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (IN
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbDD source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: is-EH0TS.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: is-SS9TM.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: is-HDI2E.tmp.14.dr
        Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: is-US2TH.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: D:\Work\PdfEditor\icepdfeditor-Desktop_Qt_5_15_1_MSVC2019_32bit\bin\icepdfeditor.pdb source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-9LV8H.tmp.14.dr, is-9JTNT.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: is-I5AN5.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb''! source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: is-IUBHJ.tmp.14.dr
        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: is-HINO1.tmp.14.dr
        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: is-MDI6D.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwebp.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcr120.i386.pdb source: is-GS8SF.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbV source: is-HDI2E.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: is-CJEQM.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdbTT source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: E:\distr\development\crashrpt\CrashRpt_v.1.4.3_r1645\bin\CrashSender.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: is-SS9TM.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, is-3RLDL.tmp.14.dr
        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: is-OPH5U.tmp.14.dr, is-S3L1J.tmp.14.dr
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040A3B8 FindFirstFileA,GetLastError,20_2_0040A3B8
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040A07E FindFirstFileA,FindClose,20_2_0040A07E
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040A190 FindFirstFileA,FindClose,20_2_0040A190
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00406490 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_00406490
        Source: chrome.exeMemory has grown: Private usage: 1MB later: 28MB
        Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
        Source: Joe Sandbox ViewIP Address: 92.223.124.62 92.223.124.62
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /PDF-Editor/thankyou.html?v=3.27 HTTP/1.1Host: icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a42dfcaa3b8.16240271
        Source: global trafficDNS traffic detected: DNS query: icecreamapps.com
        Source: global trafficDNS traffic detected: DNS query: static.icecreamapps.com
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/crashrpt/wiki/FAQ
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1568641147.0000000002845000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1564277828.0000000003620000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://counter-strike.com.ua/
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
        Source: is-NULG8.tmp.14.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
        Source: is-NULG8.tmp.14.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: Patch.exe, 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: http://fontawesome.io
        Source: Patch.exe, 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: http://fontawesome.io/license/
        Source: Patch.exe, 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1574191607.00000000023C4000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1571218371.0000000002434000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000023B4000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002434000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icecreamapps.com/PDF-Editor/
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icecreamapps.com/PDF-Editor/Fhttp://icecreamapps.com/PDF-Editor/Fhttp://icecreamapps.com/PDF-
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1574191607.00000000023C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icecreamapps.com/PDF-Editor/QN
        Source: pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000023B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icecreamapps.com/PDF-Editor/QN;
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://icecreamapps.com/act/crashfix/index.php/crashReport/uploadExternalCould
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://ocsp.thawte.com0
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://t2.symcb.com0
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://tl.symcb.com/tl.crl0
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://tl.symcb.com/tl.crt0
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://tl.symcd.com0&
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://updates.icecreamapps.com/check.php
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://updates.icecreamapps.com/check.phphttps://icecreamapps.comhttps://icecreamapps.com/PDF-Editor
        Source: is-CJEQM.tmp.14.drString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
        Source: is-CJEQM.tmp.14.drString found in binary or memory: http://www.color.org)
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000022A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000000.1329214810.0000000000401000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.innosetup.com/
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000000.1325513201.0000000000401000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1574191607.0000000002381000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566060255.000000000082A000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002320000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1564277828.0000000003561000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566202511.00000000007E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mpegla.com
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000022A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1564277828.0000000003620000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.palkornel.hu/innosetup%1
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000000.1329214810.0000000000401000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.remobjects.com/ps
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
        Source: is-NULG8.tmp.14.drString found in binary or memory: https://curl.se/V
        Source: is-NULG8.tmp.14.drString found in binary or memory: https://curl.se/docs/alt-svc.html
        Source: is-NULG8.tmp.14.drString found in binary or memory: https://curl.se/docs/copyright.htmlD
        Source: is-NULG8.tmp.14.drString found in binary or memory: https://curl.se/docs/hsts.html
        Source: is-NULG8.tmp.14.drString found in binary or memory: https://curl.se/docs/http-cookies.html
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://data.icecreamapps.com
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://data.icecreamapps.com/?pid=%1&ver=%2&dev=%3Send
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://google.ru
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://google.ruSome
        Source: Patch.exe, Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com
        Source: Patch.exe, 00000014.00000002.1961130684.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com/Howto/how-to-make-icecream-pdf-editor-your-default-PDF-reader.html
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000002.1567194365.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Edito
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002434000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor/changelog.html
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1563496269.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566202511.00000000007E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.274
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000002.1566748638.0000000000616000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27C:
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566060255.0000000000830000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1563496269.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27l
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.00000000023EC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor/uninstall.html?v=3.27
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com/PDF-Editor/upgrade.html?v=%1&t=%2
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com/act/license.php
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com/act/license.phphttps://icecreamapps.com/go/license_date.phpInvalid
        Source: Patch.exe, 00000014.00000003.1947588604.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Patch.exe, 00000014.00000002.1961130684.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.com/b
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com/go/help.php?prod=pde
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://icecreamapps.com/go/license_date.php
        Source: Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: https://icecreamapps.comU
        Source: Patch.exe, 00000014.00000003.1947588604.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Patch.exe, 00000014.00000002.1961130684.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icecreamapps.comb
        Source: Patch.exe, Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Patch.exe, 00000014.00000003.1951122666.0000000000D8C000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 0000001C.00000002.2477537453.0000000000D9A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ko-fi.com/radixx11
        Source: Patch.exe, 00000014.00000003.1951122666.0000000000D8C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ko-fi.com/radixx11Q
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://mail.ru
        Source: Patch.exe, 0000001C.00000002.2477537453.0000000000D9A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://radixx11rce3.blogspot.com
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: https://sectigo.com/CPS0
        Source: pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drString found in binary or memory: https://www.globalsign.com/repository/0
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: https://www.thawte.com/cps0/
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drString found in binary or memory: https://www.thawte.com/repository0W
        Source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://ya.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407EAE OpenClipboard,20_2_00407EAE
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407F5E SetClipboardData,20_2_00407F5E
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407C0E GetClipboardData,20_2_00407C0E
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407BDE GetAsyncKeyState,20_2_00407BDE
        Source: Yara matchFile source: Process Memory Space: Patch.exe PID: 2268, type: MEMORYSTR
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407AE6 NtdllDefWindowProc_A,20_2_00407AE6
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040236420_2_00402364
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00405E2020_2_00405E20
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: String function: 00411D24 appears 34 times
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: String function: 00404D38 appears 69 times
        Source: pdf_editor_setup_Downloadly.ir.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: pdf_editor_setup_Downloadly.ir.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: pdf_editor_setup_Downloadly.ir.tmp.13.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: pdf_editor_setup_Downloadly.ir.tmp.13.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-JCBAO.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-JCBAO.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-MJ811.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-G9D6N.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-V173U.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-US2TH.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-M2DS0.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-HINO1.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-EF39E.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-9JTNT.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-045QH.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-S3L1J.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-T1BNR.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-IQNAL.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-71RVD.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-OPH5U.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-MDI6D.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-B7R59.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-I5AN5.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-4RU8B.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-32IQI.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-QMD9M.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-6PKIS.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-AH44U.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-OE5OD.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-8CTAA.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-5NCII.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-SD5L0.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-NIFON.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-4VH3K.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-NR85U.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-I5I15.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-9LV8H.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-REGAU.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-7RINB.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-CTDA2.tmp.14.drStatic PE information: No import functions for PE file found
        Source: is-HDI2E.tmp.14.drStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
        Source: is-5FD3K.tmp.14.drStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
        Source: classification engineClassification label: sus34.expl.winZIP@36/176@8/3
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040A62A GetDiskFreeSpaceA,20_2_0040A62A
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00410616 CoCreateInstance,20_2_00410616
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041C724 FindResourceA,20_2_0041C724
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeMutant created: \Sessions\1\BaseNamedObjects\Patch.exe_IcecreamAppsPatch_2.3.0.2
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeFile created: C:\Users\user\AppData\Local\Temp\is-BA69I.tmpJump to behavior
        Source: Yara matchFile source: 20.2.Patch.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe"
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$601F8,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$602C2 /NOTIFYWND=$601F8
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$70300,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$602C2 /NOTIFYWND=$601F8
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1952,i,74056811706744733,4401257274020997871,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,7196489178614102710,14503791149393765188,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe"
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$601F8,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$70300,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$602C2 /NOTIFYWND=$601F8 Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1952,i,74056811706744733,4401257274020997871,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,7196489178614102710,14503791149393765188,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: pcacli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: msftedit.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windows.globalization.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: globinputhost.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windows.ui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: inputhost.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: linkinfo.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: mlang.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: policymanager.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: colorui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: mscms.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: coloradapterclient.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: compstui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: inetres.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: websocket.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: riched32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: samlib.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: thumbcache.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: networkexplorer.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: zipfldr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: drprov.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: ntlanman.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: davclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: davhlpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: dlnashext.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: playtodevice.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: devdispitemprovider.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: mmdevapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wpdshext.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: portabledeviceapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: audiodev.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wmvcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wmasf.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: mfperfhelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: occache.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: fontext.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: webcheck.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: colorui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: mscms.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: coloradapterclient.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: compstui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: inetres.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: websocket.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: riched32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: libcurl.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: crashrpt1403.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: qt5svg.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: qt5widgets.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: qt5winextras.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: qt5gui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: qt5network.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: qt5core.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: msvcp140.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: Icecream PDF Editor 3.lnk.14.drLNK file: ..\..\..\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe
        Source: Icecream PDF Editor 3.lnk0.14.drLNK file: ..\..\..\..\..\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpWindow found: window name: TSelectLanguageFormJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.IMPORTANT: THIS SOFTWARE END USER LICENSE AGREEMENT ("EULA") IS A LEGAL AGREEMENT BETWEEN YOU AND ICECREAM APPS LIMITED ("ICECREAMAPPS.COM"). USE OF THE SOFTWARE PROVIDED WITH THIS EULA (THE "SOFTWARE") CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS. READ IT CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL AND/OR USE THIS SOFTWARE. BY INSTALLING COPYING OR OTHERWISE USING THE SOFTWARE PRODUCT YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. 1. LICENSE GRANT. The Software is licensed on per user basis not per computer site or company. This license is not transferable to any other system or to another organization or individual. You are not allowed to remove any proprietary notices or labels from the SOFTWARE. The PRO license can be used on ONE computer belonging to ONE user. The PRO license applies to the version of the program on which it is activated.2. WARRANTY DISCLAIMER. THIS SOFTWARE AND ANY RELATED DOCUMENTATION is PROVIDED "AS IS" AND COMES WITHOUT ANY WARRANTY EITHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OR MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. THE USE AND PERFORMANCE OF THIS SOFTWARE ARE SOLELY AT YOUR OWN RISK.3. FREE USE. You may install and use the SOFTWARE free of charge for personal educational (non-profit) use. In these cases you are granted the right to use and to make an unlimited number of copies of this software. Some features of the SOFTWARE may be limited or unavailable in free version of the SOFTWARE. To enable all the features you need to upgrade the SOFTWARE to PRO version. Full list of limited features is presented on Upgrade page of the SOFTWARE at icecreamapps.com.4. COMMERCIAL USE. For usage in corporate or commercial environment you will need to upgrade the SOFTWARE to PRO version by obtaining an activation key at icecreamapps.com. 5. REVERSE ENGINEERING. You agree that you will not attempt to reverse compile modify translate or disassemble the Software in whole or in part. 6. COPYRIGHT. The SOFTWARE is intellectual property of Icecream Apps Ltd and is protected by law. You acknowledge that all intellectual property rights in the SOFTWARE anywhere in the world belong to Icecream Apps Ltd that rights in the SOFTWARE are licensed (not sold) to you and that you have no rights in or to the SOFTWARE other than the right to use them in accordance with the terms of this License. You are not allowed to resell charge for rent lease loan sublicense or assign the SOFTWARE or any copy thereof including any related documentation.7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ICECREAM APPS LTD BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (IN
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.IMPORTANT: THIS SOFTWARE END USER LICENSE AGREEMENT ("EULA") IS A LEGAL AGREEMENT BETWEEN YOU AND ICECREAM APPS LIMITED ("ICECREAMAPPS.COM"). USE OF THE SOFTWARE PROVIDED WITH THIS EULA (THE "SOFTWARE") CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS. READ IT CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL AND/OR USE THIS SOFTWARE. BY INSTALLING COPYING OR OTHERWISE USING THE SOFTWARE PRODUCT YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. 1. LICENSE GRANT. The Software is licensed on per user basis not per computer site or company. This license is not transferable to any other system or to another organization or individual. You are not allowed to remove any proprietary notices or labels from the SOFTWARE. The PRO license can be used on ONE computer belonging to ONE user. The PRO license applies to the version of the program on which it is activated.2. WARRANTY DISCLAIMER. THIS SOFTWARE AND ANY RELATED DOCUMENTATION is PROVIDED "AS IS" AND COMES WITHOUT ANY WARRANTY EITHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OR MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. THE USE AND PERFORMANCE OF THIS SOFTWARE ARE SOLELY AT YOUR OWN RISK.3. FREE USE. You may install and use the SOFTWARE free of charge for personal educational (non-profit) use. In these cases you are granted the right to use and to make an unlimited number of copies of this software. Some features of the SOFTWARE may be limited or unavailable in free version of the SOFTWARE. To enable all the features you need to upgrade the SOFTWARE to PRO version. Full list of limited features is presented on Upgrade page of the SOFTWARE at icecreamapps.com.4. COMMERCIAL USE. For usage in corporate or commercial environment you will need to upgrade the SOFTWARE to PRO version by obtaining an activation key at icecreamapps.com. 5. REVERSE ENGINEERING. You agree that you will not attempt to reverse compile modify translate or disassemble the Software in whole or in part. 6. COPYRIGHT. The SOFTWARE is intellectual property of Icecream Apps Ltd and is protected by law. You acknowledge that all intellectual property rights in the SOFTWARE anywhere in the world belong to Icecream Apps Ltd that rights in the SOFTWARE are licensed (not sold) to you and that you have no rights in or to the SOFTWARE other than the right to use them in accordance with the terms of this License. You are not allowed to resell charge for rent lease loan sublicense or assign the SOFTWARE or any copy thereof including any related documentation.7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ICECREAM APPS LTD BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (IN
        Source: Archive.zipStatic file information: File size 25201421 > 1048576
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbDD source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: is-EH0TS.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: is-SS9TM.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: is-HDI2E.tmp.14.dr
        Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: is-US2TH.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: D:\Work\PdfEditor\icepdfeditor-Desktop_Qt_5_15_1_MSVC2019_32bit\bin\icepdfeditor.pdb source: icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-9LV8H.tmp.14.dr, is-9JTNT.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: is-I5AN5.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb''! source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: is-IUBHJ.tmp.14.dr
        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: is-HINO1.tmp.14.dr
        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: is-MDI6D.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwebp.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcr120.i386.pdb source: is-GS8SF.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbV source: is-HDI2E.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: is-CJEQM.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdbTT source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: E:\distr\development\crashrpt\CrashRpt_v.1.4.3_r1645\bin\CrashSender.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: is-SS9TM.tmp.14.dr
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, is-3RLDL.tmp.14.dr
        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: is-OPH5U.tmp.14.dr, is-S3L1J.tmp.14.dr
        Source: is-D2OAP.tmp.14.drStatic PE information: 0x747F8DCC [Mon Dec 8 17:13:48 2031 UTC]
        Source: is-HDI2E.tmp.14.drStatic PE information: section name: .qtmimed
        Source: is-GIDFB.tmp.14.drStatic PE information: section name: .didata
        Source: is-M4EGV.tmp.14.drStatic PE information: section name: .00cfg
        Source: is-IQ6N1.tmp.14.drStatic PE information: section name: .00cfg
        Source: is-2DG5N.tmp.14.drStatic PE information: section name: .didat
        Source: is-33JEM.tmp.14.drStatic PE information: section name: _RDATA
        Source: is-5FD3K.tmp.14.drStatic PE information: section name: .qtmimed
        Source: is-EH0TS.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-B31EP.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-IUBHJ.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-H3B6T.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-2PJLM.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-K7OKT.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-C5UR9.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-348E9.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-3RLDL.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-EOFBO.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-NOM8F.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-GOQN9.tmp.14.drStatic PE information: section name: .qtmetad
        Source: is-C4NAE.tmp.14.drStatic PE information: section name: .didata
        Source: is-F9SRF.tmp.14.drStatic PE information: section name: .00cfg
        Source: is-E29SC.tmp.14.drStatic PE information: section name: .00cfg
        Source: is-PBJI8.tmp.14.drStatic PE information: section name: .didat
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041B900 push ecx; mov dword ptr [esp], edx20_2_0041B905
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_004080C8 push ecx; mov dword ptr [esp], eax20_2_004080C9
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041E1AC push ecx; mov dword ptr [esp], edx20_2_0041E1AD
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_004243CC push ecx; mov dword ptr [esp], edx20_2_004243CE
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040F40C push ecx; mov dword ptr [esp], edx20_2_0040F411
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_004096C4 push ecx; mov dword ptr [esp], ecx20_2_004096C9
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041B6BC push ecx; mov dword ptr [esp], eax20_2_0041B6BD
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041873C push 004187B2h; ret 20_2_004187AA
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_004188EC push ecx; mov dword ptr [esp], ecx20_2_004188EF
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_004039A4 push eax; ret 20_2_004039E0
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00419AEC push 00419B39h; ret 20_2_00419B31
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041BB5C push ecx; mov dword ptr [esp], edx20_2_0041BB61
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00418BC8 push ecx; mov dword ptr [esp], ecx20_2_00418BCA
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040FC56 push 0040FDF3h; ret 20_2_0040FDEB
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041BC7C push ecx; mov dword ptr [esp], edx20_2_0041BC81
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0041BCC0 push ecx; mov dword ptr [esp], edx20_2_0041BCC5
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00406FA6 push 00407003h; ret 20_2_00406FFB
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 28_2_0019E224 push eax; iretd 28_2_0019E225
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 28_2_0019E458 push 870019E4h; iretd 28_2_0019E45D
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 28_2_0019C451 push ss; iretd 28_2_0019C546
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 28_2_0019E464 push eax; iretd 28_2_0019E465
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 28_2_0019ED98 push FFFFFF9Eh; retf 28_2_0019ED9A
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 28_2_0019C2A7 push 00000014h; ret 28_2_0019C2A9
        Source: is-EQQK5.tmp.14.drStatic PE information: section name: .text entropy: 6.9566713846558015
        Source: is-GS8SF.tmp.14.drStatic PE information: section name: .text entropy: 6.9566713846558015
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-LCLTR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-T1BNR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qicns.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\vcruntime140.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeFile created: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-C4NAE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-F9SRF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeFile created: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe.BAKJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-NIFON.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-JCCI9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Gui.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-8CTAA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-2DG5N.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-KBLEA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-045QH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-HDI2E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-2PJLM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\libssl-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-SI4OP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-M2DS0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-E2EPR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\libcurl.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-CJEQM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\libcrypto-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-IKESB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\styles\is-GOQN9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qico.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-32IQI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-O4563.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-QMD9M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-K28TK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\msvcp140.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-9JTNT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-MDI6D.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\msvcp120.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qgif.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwbmp.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Network.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-B31EP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\msvcr120.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-V173U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-HQS0M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-6PKIS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-US2TH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-I5I15.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\platforms\qwindows.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-ME4M5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-TFOAP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-BH5LP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\ucrtbase.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-71RVD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-MJ811.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-GS8SF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-E29SC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-HUMQ2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qjpeg.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-HINO1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Widgets.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-H2HIE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-K7OKT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\is-EH0TS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-I5AN5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-PBJI8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\pdfcore-x86.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Core.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-JO2A2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-AVR5I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-0J7P8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\CrashRpt1403.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\styles\qwindowsvistastyle.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\platforms\is-NOM8F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-AH44U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-REGAU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-9LV8H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtga.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-4RU8B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-G9D6N.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-NV1R0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-SD5L0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-OPH5U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UP5T5.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-CTDA2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-IQNAL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-S3L1J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-IQ6N1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-EF39E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-GIDFB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\qsvgicon.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeFile created: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-M4EGV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\CrashSender1403.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-4VH3K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-EOFBO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-EQQK5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-NR85U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Svg.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-H3B6T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-FEC93.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-NULG8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-JCBAO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\DebenuPDFLibraryDLL1212.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-0VCGO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-C5UR9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-OE5OD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-5NCII.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-IUBHJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-348E9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-louserzation-l1-2-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-B7R59.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\Qt5WinExtras.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qsvg.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-A1NMJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-5FD3K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwebp.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-632VQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\msvcp140_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtiff.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-33JEM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-7RINB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-SS9TM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-3RLDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\Program Files (x86)\Icecream PDF Editor 3\is-D2OAP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeFile created: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe.BAKJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Icecream PDF Editor 3.lnkJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407DEE IsIconic,20_2_00407DEE
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeWindow / User API: threadDelayed 9916Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeWindow / User API: threadDelayed 9996Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-LCLTR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-T1BNR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qicns.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-C4NAE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe.BAKJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-F9SRF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-NIFON.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-JCCI9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-8CTAA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-2DG5N.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-KBLEA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-045QH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-HDI2E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-2PJLM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\libssl-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-SI4OP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-M2DS0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-E2EPR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-CJEQM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\libcrypto-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\styles\is-GOQN9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-IKESB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qico.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-32IQI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-O4563.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-QMD9M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-K28TK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-9JTNT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-MDI6D.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\msvcp120.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qgif.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwbmp.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-B31EP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\msvcr120.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-V173U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-HQS0M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-6PKIS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-US2TH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-I5I15.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\platforms\qwindows.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-ME4M5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-TFOAP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-BH5LP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-71RVD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-MJ811.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-GS8SF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-E29SC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-HUMQ2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qjpeg.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-HINO1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-K7OKT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-H2HIE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\is-EH0TS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-I5AN5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-PBJI8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\pdfcore-x86.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-AVR5I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-JO2A2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-0J7P8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\styles\qwindowsvistastyle.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\platforms\is-NOM8F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-AH44U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-REGAU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-9LV8H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtga.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-4RU8B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-G9D6N.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-NV1R0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-SD5L0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-OPH5U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-CTDA2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UP5T5.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-IQNAL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-S3L1J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-IQ6N1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-EF39E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-GIDFB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\qsvgicon.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-M4EGV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\CrashSender1403.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-4VH3K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-EOFBO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-EQQK5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-NR85U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-H3B6T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-FEC93.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-NULG8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\DebenuPDFLibraryDLL1212.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-0VCGO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-C5UR9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-OE5OD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-5NCII.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-IUBHJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-348E9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-louserzation-l1-2-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qsvg.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-B7R59.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-A1NMJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-5FD3K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwebp.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-632VQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\msvcp140_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtiff.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-33JEM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-7RINB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-SS9TM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-3RLDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpDropped PE file which has not been started: C:\Program Files (x86)\Icecream PDF Editor 3\is-D2OAP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeAPI coverage: 6.4 %
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040A3B8 FindFirstFileA,GetLastError,20_2_0040A3B8
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040A07E FindFirstFileA,FindClose,20_2_0040A07E
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040A190 FindFirstFileA,FindClose,20_2_0040A190
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00406490 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_00406490
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040757E GetSystemInfo,20_2_0040757E
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000002.1572444290.0000000000749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9-
        Source: pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000002.1572444290.0000000000749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: Patch.exe, 00000014.00000003.1947588604.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: Patch.exe, 0000001C.00000002.2473359257.000000000094C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 28_2_008F0000 LdrInitializeThunk,28_2_008F0000
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp "c:\users\user\appdata\local\temp\is-7k9qh.tmp\pdf_editor_setup_downloadly.ir.tmp" /sl5="$70300,22152334,238080,c:\users\user\appdata\local\temp\temp1_mde_file_sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_downloadly.ir.exe" /spawnwnd=$602c2 /notifywnd=$601f8
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp "c:\users\user\appdata\local\temp\is-7k9qh.tmp\pdf_editor_setup_downloadly.ir.tmp" /sl5="$70300,22152334,238080,c:\users\user\appdata\local\temp\temp1_mde_file_sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_downloadly.ir.exe" /spawnwnd=$602c2 /notifywnd=$601f8 Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407298 AllocateAndInitializeSid,RegCreateKeyExA,RegQueryValueExA,CopyFileA,CreateMutexA,20_2_00407298
        Source: Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndSVW
        Source: Patch.exe, Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWnd
        Source: Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,20_2_00406654
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: GetLocaleInfoA,20_2_0040D2E8
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: GetLocaleInfoA,20_2_0040D29C
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeQueries volume information: C:\Users\user\Desktop\Archive.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeQueries volume information: C:\Users\user\Desktop\Archive.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeQueries volume information: C:\Users\user\Desktop\Archive.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeQueries volume information: C:\Users\user\Desktop\Archive.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeQueries volume information: C:\Users\user\Desktop\Archive.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeQueries volume information: C:\Users\user\Desktop\Archive.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040BBCC GetLocalTime,20_2_0040BBCC
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407386 GetUserNameA,20_2_00407386
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_00407596 GetTimeZoneInformation,20_2_00407596
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exeCode function: 20_2_0040E290 GetVersionExA,20_2_0040E290

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		11
        Input Capture        		2
        System Time Discovery        		Remote Services11
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		3
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop Protocol11
        Input Capture        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Extra Window Memory Injection        		2
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin Shares3
        Clipboard Data        		2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
        Process Injection        		1
        Timestomp        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture3
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		LSA Secrets1
        Query Registry        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Extra Window Memory Injection        		Cached Domain Credentials1
        Security Software Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading        		DCSync2
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
        Process Injection        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Rundll32        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 process2 2 Behavior Graph ID: 1541179 Sample: Archive.zip Startdate: 24/10/2024 Architecture: WINDOWS Score: 34 9 pdf_editor_setup_Downloadly.ir.exe 2 2->9         started        12 Patch.exe 3 19 2->12         started        15 Patch.exe 3 2->15         started        17 4 other processes 2->17 file3 40 C:\...\pdf_editor_setup_Downloadly.ir.tmp, PE32 9->40 dropped 19 pdf_editor_setup_Downloadly.ir.tmp 1 9->19         started        42 C:\...\icepdfeditor.exe.BAK, PE32 12->42 dropped 66 Accesses ntoskrnl, likely to find offsets for exploits 12->66 21 chrome.exe 12->21         started        signatures4 process5 process6 23 pdf_editor_setup_Downloadly.ir.exe 2 19->23         started        26 chrome.exe 21->26         started        dnsIp7 38 C:\...\pdf_editor_setup_Downloadly.ir.tmp, PE32 23->38 dropped 29 pdf_editor_setup_Downloadly.ir.tmp 44 135 23->29         started        60 static.icecreamapps.com 26->60 62 icecreamapps.com 26->62 64 2 other IPs or domains 26->64 file8 process9 file10 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->44 dropped 46 C:\...\vcruntime140.dll (copy), PE32 29->46 dropped 48 C:\...\unins000.exe (copy), PE32 29->48 dropped 50 134 other files (none is malicious) 29->50 dropped 32 chrome.exe 29->32         started        process11 dnsIp12 52 239.255.255.250 unknown Reserved 32->52 35 chrome.exe 32->35         started        process13 dnsIp14 54 icecreamapps.com 37.58.52.149, 443, 49704, 49710 LEASEWEB-DE-FRA-10DE Germany 35->54 56 cl-2d703670.gcdn.co 92.223.124.62, 443, 49708, 49709 GCOREAT Austria 35->56 58 2 other IPs or domains 35->58

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\Icecream PDF Editor 3\CrashRpt1403.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\CrashSender1403.exe (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\DebenuPDFLibraryDLL1212.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Core.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Gui.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Network.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Svg.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Widgets.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5WinExtras.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l1-2-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l2-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-louserzation-l1-2-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-processthreads-l1-1-1.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-synch-l1-2-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-timezone-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-convert-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-environment-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-filesystem-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-heap-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-locale-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-math-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-runtime-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-stdio-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-string-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-time-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-utility-l1-1-0.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe.BAK0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\is-EH0TS.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\qsvgicon.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-2PJLM.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-348E9.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-3RLDL.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-B31EP.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-C5UR9.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-EOFBO.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-H3B6T.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-IUBHJ.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-K7OKT.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qgif.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qicns.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qico.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qjpeg.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qsvg.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtga.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtiff.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwbmp.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwebp.dll (copy)0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-045QH.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-0J7P8.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-0VCGO.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-2DG5N.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-32IQI.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-33JEM.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-4RU8B.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-4VH3K.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-5FD3K.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-5NCII.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-632VQ.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-6PKIS.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-71RVD.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-7RINB.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-8CTAA.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-9JTNT.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-9LV8H.tmp0%ReversingLabs
        C:\Program Files (x86)\Icecream PDF Editor 3\is-A1NMJ.tmp0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://fontawesome.io0%URL Reputationsafe
        http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
        http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
        http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%URL Reputationsafe
        http://www.innosetup.com/0%URL Reputationsafe
        https://sectigo.com/CPS00%URL Reputationsafe
        http://ocsp.thawte.com00%URL Reputationsafe
        http://www.dk-soft.org/0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        https://www.thawte.com/cps0/0%URL Reputationsafe
        http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        https://www.thawte.com/repository0W0%URL Reputationsafe
        http://www.winimage.com/zLibDll0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        icecreamapps.com
        		37.58.52.149
        		truefalse
          		unknown
          cl-2d703670.gcdn.co
          		92.223.124.62
          		truefalse
            		unknown
            static.icecreamapps.com
            		unknown
            		unknownfalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27false
                		unknown
                https://icecreamapps.com/false
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://fontawesome.ioPatch.exe, 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.sectigo.com0pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://icecreamapps.comPatch.exe, Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                    		unknown
                    https://ko-fi.com/radixx11Patch.exe, Patch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Patch.exe, 00000014.00000003.1951122666.0000000000D8C000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 0000001C.00000002.2477537453.0000000000D9A000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUpdf_editor_setup_Downloadly.ir.exe, 00000009.00000000.1325513201.0000000000401000.00000020.00000001.01000000.00000006.sdmpfalse
                        		unknown
                        https://icecreamapps.com/PDF-Editor/uninstall.html?v=3.27pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.00000000023EC000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://updates.icecreamapps.com/check.phpicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                            		unknown
                            http://code.google.com/p/crashrpt/wiki/FAQpdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://icecreamapps.com/act/crashfix/index.php/crashReport/uploadExternalCouldicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                		unknown
                                https://radixx11rce3.blogspot.comPatch.exe, 0000001C.00000002.2477537453.0000000000D9A000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://icecreamapps.com/act/license.phphttps://icecreamapps.com/go/license_date.phpInvalidicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                    		unknown
                                    https://icecreamapps.com/PDF-Editopdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000002.1567194365.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://icecreamapps.com/PDF-Editor/QNpdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1574191607.00000000023C4000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://curl.se/docs/hsts.htmlis-NULG8.tmp.14.drfalse
                                          		unknown
                                          http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://icecreamapps.com/go/help.php?prod=pdeicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                            		unknown
                                            https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27lpdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566060255.0000000000830000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1563496269.0000000000830000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://mail.ruicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                		unknown
                                                http://crl.thawte.com/ThawteTimestampingCA.crl0pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://google.ruicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                  		unknown
                                                  https://icecreamapps.comUPatch.exe, 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmpfalse
                                                    		unknown
                                                    http://updates.icecreamapps.com/check.phphttps://icecreamapps.comhttps://icecreamapps.com/PDF-Editoricepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                      		unknown
                                                      https://data.icecreamapps.comicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                        		unknown
                                                        https://icecreamapps.combPatch.exe, 00000014.00000003.1947588604.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Patch.exe, 00000014.00000002.1961130684.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://ko-fi.com/radixx11QPatch.exe, 00000014.00000003.1951122666.0000000000D8C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://icecreamapps.com/PDF-Editor/Fhttp://icecreamapps.com/PDF-Editor/Fhttp://icecreamapps.com/PDF-pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://counter-strike.com.ua/pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1568641147.0000000002845000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1564277828.0000000003620000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://icecreamapps.com/PDF-Editor/pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1574191607.00000000023C4000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1571218371.0000000002434000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000023B4000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002434000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://icecreamapps.com/PDF-Editor/changelog.htmlicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                    		unknown
                                                                    http://www.mpegla.compdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1574191607.0000000002381000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566060255.000000000082A000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002320000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1564277828.0000000003561000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566202511.00000000007E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.palkornel.hu/innosetup%1pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000022A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1564277828.0000000003620000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://google.ruSomeicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                          		unknown
                                                                          https://data.icecreamapps.com/?pid=%1&ver=%2&dev=%3Sendicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                            		unknown
                                                                            http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.innosetup.com/pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000000.1329214810.0000000000401000.00000020.00000001.01000000.00000007.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://icecreamapps.com/act/license.phpicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                              		unknown
                                                                              https://icecreamapps.com/bPatch.exe, 00000014.00000003.1947588604.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Patch.exe, 00000014.00000002.1961130684.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://sectigo.com/CPS0pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmp, is-NULG8.tmp.14.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licensPatch.exe, 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpfalse
                                                                                  		unknown
                                                                                  https://curl.se/docs/http-cookies.htmlis-NULG8.tmp.14.drfalse
                                                                                    		unknown
                                                                                    http://www.aiim.org/pdfa/ns/id/is-CJEQM.tmp.14.drfalse
                                                                                      		unknown
                                                                                      https://icecreamapps.com/PDF-Editor/upgrade.html?v=%1&t=%2icepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                                        		unknown
                                                                                        http://ocsp.thawte.com0pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://icecreamapps.com/Howto/how-to-make-icecream-pdf-editor-your-default-PDF-reader.htmlicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                                          		unknown
                                                                                          https://curl.se/docs/alt-svc.htmlis-NULG8.tmp.14.drfalse
                                                                                            		unknown
                                                                                            http://www.color.org)is-CJEQM.tmp.14.drfalse
                                                                                              		unknown
                                                                                              http://icecreamapps.com/PDF-Editor/QN;pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000023B4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.dk-soft.org/pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327018701.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000003.1330439365.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 0000000D.00000003.1569236366.00000000022A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002320000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tis-NULG8.tmp.14.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://curl.se/docs/copyright.htmlDis-NULG8.tmp.14.drfalse
                                                                                                  		unknown
                                                                                                  http://fontawesome.io/license/Patch.exe, 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://icecreamapps.com/PDF-Editorpdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1565046981.0000000002434000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://www.thawte.com/cps0/pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27C:pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000002.1566748638.0000000000616000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zpdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002663000.00000004.00001000.00020000.00000000.sdmp, Patch.exe, 00000014.00000003.1637001077.0000000005E21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#is-NULG8.tmp.14.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.274pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1566202511.00000000007E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://icecreamapps.com/go/license_date.phpicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.thawte.com/repository0Wpdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.0000000006694000.00000004.00001000.00020000.00000000.sdmp, is-HDI2E.tmp.14.dr, is-EH0TS.tmp.14.dr, is-IUBHJ.tmp.14.dr, is-3RLDL.tmp.14.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.winimage.com/zLibDllpdf_editor_setup_Downloadly.ir.tmp, 0000000E.00000003.1560005725.00000000060A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.remobjects.com/pspdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1327884876.0000000002530000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000009.00000003.1328241437.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 0000000A.00000000.1329214810.0000000000401000.00000020.00000001.01000000.00000007.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://ya.ruicepdfeditor.exe, 0000001D.00000000.2422453008.00000000006A7000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://curl.se/Vis-NULG8.tmp.14.drfalse
                                                                                                                		unknown

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                239.255.255.250
                                                                                                                		unknownReserved
                                                                                                                		unknownunknownfalse
                                                                                                                92.223.124.62
                                                                                                                		cl-2d703670.gcdn.coAustria
                                                                                                                		199524GCOREATfalse
                                                                                                                37.58.52.149
                                                                                                                		icecreamapps.comGermany
                                                                                                                		28753LEASEWEB-DE-FRA-10DEfalse

                                                                                                                General Information

                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1541179
                                                                                                                Start date and time:2024-10-24 14:50:40 +02:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 8m 38s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:30
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:1
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:Archive.zip
                                                                                                                Detection:SUS
                                                                                                                Classification:sus34.expl.winZIP@36/176@8/3
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 50%
                                                                                                                HCA Information:Failed
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .zip

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 142.250.186.163, 142.250.185.206, 64.233.166.84, 34.104.35.123, 142.250.185.227, 142.250.186.110, 74.125.133.84, 142.250.185.138
                                                                                                                • Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Execution Graph export aborted for target Patch.exe, PID 2452 because there are no executed function
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • VT rate limit hit for: Archive.zip

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                No simulations

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                239.255.255.250https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/Get hashmaliciousUnknownBrowse
                                                                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                    https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUnGet hashmaliciousHtmlDropperBrowse
                                                                                                                      Meridian Group Inc - Contact Submission (70.2 KB)Get hashmaliciousUnknownBrowse
                                                                                                                        https://railrent-railrent.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                                                                                                          https://2007.filemail.com/api/file/get?filekey=58mKUrTMdlmzqkRvo0UdVa2TMjJTCQiSNv5rUBtsDQTNU0dM4JzppUJaOrP_mWxCym0k9l5xEDeaXunPsHq6frY8XZH_gnclw86MefA3bpAlGuDkr77-xSqrMOQIlMdW5cRjwoOSCWIlTwpC48cNKMMHhMKp&track=P8fpm4ry&pk_vid=8a8b18f03738ae4f17297703684d559dGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            attachment(1).emlGet hashmaliciousUnknownBrowse
                                                                                                                              https://email.email.pandadoc.net/c/eJxUkE9r4zwQxj-NdUuQR5ItHXQobfwG3rLQsmHbXspIGjeqE8m1FYfm0y-B7f65DcP8ht_zBOsa4XrNQvanI6XyGoPN-f7_7ilGN8iYdk8Pn-dxt_vOyNYtmMZwDpztLRpXK45GaGy9C943vK2NJgTDG-WQRQscZM1B1AJaztfS904pGYLuOTQtVZLTEeNhPWIKGLJfJyoszq9lQk_oDmTLdCJ2sPtSxrkSNxV0FXQ4jn8Qn48VdF_6FXQLVKIreaBUiTvSzgiJNQeJqLDhSoJpBAanJYFWrZO1kb6uRMdSLrGPHkvM6VqDaxuBBtpVCyBWEkW9wkbTCsko1-galQ4sT2-Y4uU39N85y5jEfDMn83C50P6beDlv2WTDe040V5K702Ggj9NhvKqziZY4_2J_iM3H6W67XV7Uop9j2dyq0D-yYr_S_TWuCk5v9M9mvl4sFtg5T8M8oqfrU_W4od1nvwdHIdy798HfDs_6ZwAAAP__1K2kLgGet hashmaliciousUnknownBrowse
                                                                                                                                PO 635614 635613_CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                  https://railrent-railrent.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                                                                                                                    92.223.124.62https://cambridge.pl/testy-poziomujaceGet hashmaliciousUnknownBrowse
                                                                                                                                      https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                        https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                          https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                            https://event.stibee.com/v2/click/NDA4MDIvMjQzOTA2MS80OTAyMzcv/aHR0cHM6Ly9uLm5ld3MubmF2ZXIuY29tL21uZXdzL2FydGljbGUvMDI1LzAwMDMzOTE2NDc_c2lkPTEwMQGet hashmaliciousUnknownBrowse
                                                                                                                                              https://securcomau.gurucan.com/66e8e67dd77b5900129b4800Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                https://pancake-swapp.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                  https://app.getresponse.com/change_details.html?x=a62b&m=BrgFNl&s=BW9rcZD&u=C3YQM&z=EMkQID6&pt=change_detailsGet hashmaliciousUnknownBrowse
                                                                                                                                                    https://securcomau.gurucan.com/66e8e67dd77b5900129b4800Get hashmaliciousUnknownBrowse
                                                                                                                                                      https://securcomau.gurucan.com/66e8e67dd77b5900129b4800Get hashmaliciousHTMLPhisherBrowse

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        GCOREAThttps://cambridge.pl/testy-poziomujaceGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 92.223.124.62
                                                                                                                                                        https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 92.223.124.62
                                                                                                                                                        https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 92.223.124.62
                                                                                                                                                        https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 92.223.124.62
                                                                                                                                                        RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 5.188.34.61
                                                                                                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 92.38.185.13
                                                                                                                                                        https://metaprotradings.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 92.223.127.181
                                                                                                                                                        https://event.stibee.com/v2/click/NDA4MDIvMjQzOTA2MS80OTAyMzcv/aHR0cHM6Ly9uLm5ld3MubmF2ZXIuY29tL21uZXdzL2FydGljbGUvMDI1LzAwMDMzOTE2NDc_c2lkPTEwMQGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 92.223.124.62
                                                                                                                                                        https://securcomau.gurucan.com/66e8e67dd77b5900129b4800Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                        • 92.223.124.62
                                                                                                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 5.188.4.182
                                                                                                                                                        LEASEWEB-DE-FRA-10DEhttps://m-apkpure.playvoir.com/ru/maiorders-merchant/maiorders.merchantappGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 178.162.215.162
                                                                                                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 84.16.239.119
                                                                                                                                                        transferencia.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 91.109.20.161
                                                                                                                                                        Justificante_01102024.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 91.109.20.161
                                                                                                                                                        http://steam.csworkshoparts.com/filedetails/sharedfile/ak47-DeadRose/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                        • 5.61.42.53
                                                                                                                                                        Https://25sep26ww.z13.web.core.windows.net/#Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                                                        • 217.20.112.104
                                                                                                                                                        https://telegram-message-8n5.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 217.20.112.104
                                                                                                                                                        http://two.eagermint.comGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 217.20.112.104
                                                                                                                                                        SecuriteInfo.com.Trojan.Inject5.8445.10776.26852.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 37.1.196.35
                                                                                                                                                        http://umjkitjtsk.top/crp/325gewfkj345Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 84.16.251.24

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\CrashRpt1403.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):157208
                                                                                                                                                        Entropy (8bit):6.1934682249941115
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:zKEv+wyTqNr2Z+7UXkvrZexxuF0tBzwuXh47ht0OiJPex01d54aJ:zPv+5qB2ZwKkvrmu6tJ16lg1dRJ
                                                                                                                                                        MD5:D4DB02A96B703FDBFAD4443AB8FA504F
                                                                                                                                                        SHA1:39AD32AE327789C62FD32FCB6C1F4471F1DCE47F
                                                                                                                                                        SHA-256:21171F394862D2342F5AF507A54655B454F510D0B8800E6A4929829EB28F830E
                                                                                                                                                        SHA-512:D5FCB52ACE86D863B822E06070CF34577BC15BA19CB9CFB2D4C1C16705521E779B8B42ECD2EC9E783B06B2A89C92C259015D88E255FCFBCF19D78D2F276B4009
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a[.v...v...v...'...v...'...v...'...v...'...v.......v...v..pv...$...v...$...v...$...v...v...v...$...v..Rich.v..........PE..L.....U...........!.........h......n........................................p.......O....@..........................(..q....+.......P...............F... ...`..........8...........................8...@............................................text............................... ..`.rdata..hJ.......L..................@..@.data...0....@......................@....rsrc........P.......0..............@..@.reloc.......`.......8..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\CrashSender1403.exe (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):951808
                                                                                                                                                        Entropy (8bit):6.595786024423779
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:j3Qot4CtMnlVl8OsmVEpAymT3cVPjeDzh2A2I5fZBTQgsPfU:ko3twVl8OsmVp3cBCDzhn2I5fHTQfU
                                                                                                                                                        MD5:2829AB15FFF44C84D319274AB61BC4DD
                                                                                                                                                        SHA1:F825F839E0EB35077BE24C2692B42C31B4541411
                                                                                                                                                        SHA-256:A8F3DC44C4DE1D96A1C4491686F54E1931387DF800653BE71458BA11863A00C4
                                                                                                                                                        SHA-512:B689D95FE217307736E0240F3F919646F69E953D007EA89B71207A149F8F5D4710307C1D248F755E40A564ADA49DE9E1FDD926984F45CE2F6E4C872DBCA8EB1A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=8..yY..yY..yY..?.Y.pY..?.f.lY..?.[.}Y..?.g.uY..p!..xY..yY...X..p!..fY..t.b..Y..t.g.mY..t.].xY..yY..xY..t.X.xY..RichyY..........PE..L.....U..........................................@.......................................@..................................|..h.......(....................`...W......8...............................@...............h............................text............................... ..`.rdata..$...........................@..@.data...............................@....rsrc...(...........................@..@.reloc...W...`...X..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\DebenuPDFLibraryDLL1212.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6190104
                                                                                                                                                        Entropy (8bit):7.421682960763955
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:MK+/ifzrm29tZTwpN9EVbjl4ece6GMUdaVelHxzINC75Z:X+/ibrm29tZFVvl48DueJO475Z
                                                                                                                                                        MD5:74E2784C899F1D77D6679A03D60A3D64
                                                                                                                                                        SHA1:FF43817A59C7A6964DCC8F9DB2B9A16E1FE58C3C
                                                                                                                                                        SHA-256:A9E1AF2711021486E6BCD3B6520072BC71EC8DF0D63336421286E2C4F3DB7EA8
                                                                                                                                                        SHA-512:E745DD67367588CAAE9B75919DCD370AA26647CDB172C2A0C26A709367D6E526214C7787AAA2BC317FFE6C99BB04C6117E142787A7CE936AD391F21417AF1832
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L..._4.V..................3..r*.......3.......3...@...........................^.....g.^...............................6......6.l#....:...$..........T^.. ...p7.......................................................6.t.....6.\....................text.....3.......3................. ..`.itext.. .....3.......3............. ..`.data...\?....3..@....3.............@....bss....PU...06......"6..................idata..l#....6..$..."6.............@....didata.\.....6......F6.............@....edata.......6......J6.............@..@.reloc.......p7.......6.............@..B.rsrc.....$...:...$..t9.............@..@..............^......T^.............@..@................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Core.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5377144
                                                                                                                                                        Entropy (8bit):6.853679063871745
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:eLlOKYcFr4K9pJsv6tWKFdu9CjvpzjgwWe:eLDrlJsv6tWKFdu9CjRvFWe
                                                                                                                                                        MD5:316FB94DA47EAC5933F3007A8CCA4356
                                                                                                                                                        SHA1:4C17A1A8E21940066BCBB5A0F09F6DA9C26039DA
                                                                                                                                                        SHA-256:0DED0E1CDB33B58CCB8FA20837EBFA9D17A9737BCEB078D0D16F3EF4AC349C5D
                                                                                                                                                        SHA-512:B791A9DC14CB852344D33A7F0DFA5C3C7AC54E50B888024E6795A9FF5372B8554E464C9AF9280289652981B58723C9E4BC72C514D3C346CD020998F67AB84D95
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........A.mC o>C o>C o>JX.>W o>.Mn?E o>..>G o>.Mj?^ o>.Mk?I o>.Ml?N o>.Hk?A o>.Hi?B o>.Hn?T o>C n>.!o>.Nk?n o>.Nj?. o>.No?B o>.N.>B o>C .>B o>.Nm?B o>RichC o>................PE..L...gkP_...........!......(...).......&.......(....g..........................R......ER...@......................... .C.H...h.K.......P...............Q.x.....P.....peA.T...................lfA......eA.@.............(..............................text...'.(.......(................. ..`.rdata..*i"...(..j"...(.............@..@.data.......@K..J...,K.............@....qtmimed......K......vK.............@..P.rsrc.........P......dP.............@..@.reloc........P......jP.............@..B........................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Gui.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5929592
                                                                                                                                                        Entropy (8bit):6.794857574868927
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:7XWX+slNUrE5ZiXVSTsxkHDl3HHx4oRZ0ggBEFslA6A5ORbkVIa+r8ZJU/tNN4gG:752gcsxUl3HN0VUVCr8Ib6mLV9+
                                                                                                                                                        MD5:253C8B17A1476DC182C31B75E98B6A0E
                                                                                                                                                        SHA1:49A511A017EE77FFAC72AF8B007C67C9F6637D53
                                                                                                                                                        SHA-256:55B26B1236A79A6985DC9B6114DD227F5DFF06D6932223DDA02D9ED95968B779
                                                                                                                                                        SHA-512:A5110FDB18DA6D87641B0299EA947F149030B61779EBEEA300F75A555F3F2AB61BFA79204593D3A84F2BE41945A3E82472002F876A3BAC845BADAB871897754C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v.j.2..Q2..Q2..Q;.Q$..Q...P8..Q...P>..Q...P+..Q...P6..Q...P0..Qi..P3..Qi..P?..Q2..Q^..Q...P"..Q...P[..Q...P3..Q...Q3..Q2..Q3..Q...P3..QRich2..Q................PE..L....kP_...........!......6...$.......6.......6...............................[.......Z...@.........................P.=.."...PV.h.....X..............dZ.x.....X..:....<.T...................|.<......<.@.............6..............................text.....6.......6................. ..`.rdata...N ...6..P ...6.............@..@.data....r...@W......0W.............@....rsrc.........X......"X.............@..@.reloc...:....X..<...(X.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Network.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1062520
                                                                                                                                                        Entropy (8bit):6.681028028686963
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:BqjkFWDYqDVCDIkRhMq33zROfSRW88W8mg:wcD9TEf1Wo
                                                                                                                                                        MD5:0FD8AD9B5FE25811E9FA9125E791E083
                                                                                                                                                        SHA1:680FDA9F8B4EBEE870C5DEA0E9DFEE0A918E4E5E
                                                                                                                                                        SHA-256:C9A7571426BB7D0F0939DC4D39D22329373FBD0320708EC6B99C0F516FF77D78
                                                                                                                                                        SHA-512:60899B2FD00D7AC3B34639891664F2F280FD32AF1B0ADB2DED09DB87336243BCDCD731F8D30CFFA665A2BCEAC83771622E755EDAA8DDF5889539B66ABB842E8E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........#.t;B.';B.';B.'2:Q'7B.'`*.&:B.'./.&1B.'./.&>B.'./.&"B.'./.&?B.'`*.&5B.'.,.&8B.';B.'.A.'.,.&.B.'.,.&:B.'.,=':B.';BU':B.'.,.&:B.'Rich;B.'........................PE..L....kP_...........!..... ..........<!.......0.....d.........................`......~.....@..........................$...e......T....p............... ..x...........P...T...................L...........@............0..8............................text............ .................. ..`.rdata..L....0.......$..............@..@.data....9...0......."..............@....rsrc........p.......<..............@..@.reloc...............B..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Svg.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):264312
                                                                                                                                                        Entropy (8bit):6.715338352324104
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:dO73uRNCsNic+peLSWOvY0VdWOEDuFcXxwIpunEJr2ty+yUIEDvwrPmaiK+iA0c8:dOsB+peLNMLEDukunEJr2tyRrPTf
                                                                                                                                                        MD5:2974485E58533B9BFC4061E11C0174C7
                                                                                                                                                        SHA1:9A8E9CDEC284B865C76CCA129E7BD44885BABB55
                                                                                                                                                        SHA-256:CD1950F423381E5654EB92E5A77EE19AA6E0212FC3729D5710A9EDF57746C2B0
                                                                                                                                                        SHA-512:CE0EF433D7E8D52EC513725327A7A8DCACAE831704CCD4F2B9B243431A408DE40ABFA846D0BBDBBBDF70B6294439392BD8F4723D465E324A4BBF272727E5B43D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D.h.D.h.D.h.M...B.h...i.F.h...i.F.h...m.Q.h...l.N.h...k.G.h..i.C.h.D.i...h..m.I.h..h.E.h....E.h.D...E.h..j.E.h.RichD.h.................PE..L...d.P_...........!.....^..........4f.......p.....f.........................0.......a....@.............................@}..0?..........................x........0......T...........................X...@............p..H............................text....].......^.................. ..`.rdata...M...p...N...b..............@..@.data...D...........................@....rsrc...............................@..@.reloc...0.......2..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5Widgets.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4483704
                                                                                                                                                        Entropy (8bit):6.835994551598057
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:LNYrZPyqlHjgvBDFx+jnn1nSQnCKWnDcxcYd/IAm4:ClqDFx+YxK7mY9IAm4
                                                                                                                                                        MD5:FE4E5ED83642E0DD84BB41450D020AF6
                                                                                                                                                        SHA1:275601E50EECB6C7E19D9DD4DDBE6E23FAA92650
                                                                                                                                                        SHA-256:BAA679FBB6B375EA4F9A2C536E8CC750CDF25946379DCED876D2A855DDAA838C
                                                                                                                                                        SHA-512:B29E60FF24684A969B61357AADC3D8A5614521CC77FE52016F886FD8B40F13F2B8F8B34CD9888D3C972642A06A6B94C29A193D7AB09A8285277F414DF96F5D18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................I........................................F...........F..a..F.....F.%......M....F.....Rich...........................PE..L...KlP_...........!.....X+..........Z+......p+....e..........................D......D...@...........................6..'....>.T.....A..............TD.x.....A.......5.T...................|.5.......5.@............p+../...........................text...:W+......X+................. ..`.rdata.......p+......\+.............@..@.data........@A..j..."A.............@....rsrc.........A.......A.............@..@.reloc........A.......A.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\Qt5WinExtras.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):433272
                                                                                                                                                        Entropy (8bit):6.406577939449063
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:VuWoR2Bwb8HHEgIjBN4SlBZr5j7E8doP+kTRzbh10rNus/vUS+B+/iSMk:VuWODb8nYBN4wBl5M8qPf3wNNmk
                                                                                                                                                        MD5:E368A66AD5114ADF1F43790AB728CED2
                                                                                                                                                        SHA1:C6E86F5B71D628B2556249CC96FDC2884B833143
                                                                                                                                                        SHA-256:5CCA88F525E8B371EB579DA114C26F1EC570157A95EB83A6CC38EA888FF400EA
                                                                                                                                                        SHA-512:D801024C78F986B00CD16E94903057B4D41B72E0C04497A50E70C7CC65F9DA54C347B46D234C26894D9FC7DE6574D5086D2B2E97E66DF0AD1F958438A109BFAF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h...,.G,.G,.G%..G*.G...F..G...F:.G...F&.G...F/.Gw..F-.Gw..F .G...F).G,.G..G...F#.G...F-.G..}G-.G,..G-.G...F-.GRich,.G................PE..L.....P_...........!.....N...t......8R.......`............................................@..........................j..09........... ..................x....0..T...@_..T...................<`......._..@............`...............................text....M.......N.................. ..`.rdata...h...`...j...R..............@..@.data....B..........................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l1-2-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11416
                                                                                                                                                        Entropy (8bit):6.815621198462554
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:KdWYhWJWWFYg7VWQ4WWeRkJqnajgrTZutRnPZA9S:KdWYhWHsJl0huHnPZA9S
                                                                                                                                                        MD5:CD3CEC3D65AE62FDF044F720245F29C0
                                                                                                                                                        SHA1:C4643779A0F0F377323503F2DB8D2E4D74C738CA
                                                                                                                                                        SHA-256:676A6DA661E0C02E72BEA510F5A48CAE71FDC4DA0B1B089C24BFF87651EC0141
                                                                                                                                                        SHA-512:ACA1029497C5A9D26EE09810639278EB17B8FD11B15C9017C8B578FCED29CEF56F172750C4CC2B0D1EBF8683D29E15DE52A6951FB23D78712E31DDCB41776B0F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....ARo...........!......................... ...............................0......@$....@......................... ...L............ ..................."..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@.....ARo........8...T...T........ARo........d................ARo........$...........RSDS...+A<...s.O.....api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg... ...L....edata... ..`....rsrc$01....` .......rsrc$02.... ......+A<...s.O.&...x)=.ro2.ARo.................ARo....p...............H...X...h...............B...............!...........api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolu

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-file-l2-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11208
                                                                                                                                                        Entropy (8bit):6.914984712440467
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:UC/b2WYhWIWWFYg7VWQ4eW5AZa8p2kacqnajYhx:UC/b2WYhWoY8pUclMH
                                                                                                                                                        MD5:B181124928D8EB7B6CAA0C2C759155CB
                                                                                                                                                        SHA1:1AADBBD43EFF2DF7BAB51C6F3BDA2EB2623B281A
                                                                                                                                                        SHA-256:24EA638DFA9F40E2F395E26E36D308DB2AB25ED1BAA5C796AC2C560AD4C89D77
                                                                                                                                                        SHA-512:2A43BF4D50D47924374CDE689BE24799C4E1C132C0BC981F5109952D3322E91DD5A9352B53BB55CA79A6EA92E2C387E87C064B9D8C8F519B77FFF973D752DC8F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@................8...T...T...................d...........................$...........RSDS.0.O..}_.1..j~n....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ....0.O..}_.1..j~n...D....................................................H...t...............'...S...................A...k...................C...l...............6...U.............................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-louserzation-l1-2-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13768
                                                                                                                                                        Entropy (8bit):6.798905181617243
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:6GEOMw3zdp3bwjGzue9/0jCRrndbFWYhWfRDli:6TOMwBprwjGzue9/0jCRrndbB0
                                                                                                                                                        MD5:21519F4D5F1FEA53532A0B152910EF8B
                                                                                                                                                        SHA1:7833AC2C20263C8BE42F67151F9234EB8E4A5515
                                                                                                                                                        SHA-256:5FBD69186F414D1D99AC61C9C15A57390FF21FE995E5C01F1C4E14510B6FB9B1
                                                                                                                                                        SHA-512:97211FAD4AAE2F6A6B783107938F0635C302445E74FC34A26AA386864509919C3F084E80579D2502105D9256AAB9F57EA16137C43344B1C62F64E5BC1125A417
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....f.F...........!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....f.F........@...T...T........f.F........d................f.F........$...........RSDSkR...<...L.,.>......api-ms-win-core-louserzation-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ...kR...<...L.,.>..n.N.#$..E..f.F.........f.F............;...;...H...4... ...........-...\.......................5...U...}...................A...i...................1...n...............O...................O...~...............&...O...|...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-processthreads-l1-1-1.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.825370088644229
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:k/DiDfIeJWYhWGWWFYg7VWQ4eWlLoCjux5Dqnajuy:JDfIeJWYhWm+PUDli
                                                                                                                                                        MD5:B5C8334A10B191031769D5DE01DF9459
                                                                                                                                                        SHA1:83A8FCC777C7E8C42FA4C59EE627BAF6CBED1969
                                                                                                                                                        SHA-256:6C27AC0542281649EC8638602FBC24F246424BA550564FC7B290B683F79E712D
                                                                                                                                                        SHA-512:59E53C515DFA2CD96182CA6539ED0EA2EBB01F5991BEB08166D1FC53576AEAAFEBBB2C5EE0CCBDAB60AE45FC6A048FFF0B5E1B8C9C26907791D31FB7E75B1F39
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L......I...........!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......I........B...T...T..........I........d..................I........$...........RSDS...W..w. ..v-.......api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ......W..w. ..v-.......Q.c.w/.Y...I.......I....................H...............M...............B...w...............>...n...............3...p...........'...f...............2...S.......................................api-ms-win-core-proc

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-synch-l1-2-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11712
                                                                                                                                                        Entropy (8bit):6.87820352511638
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:JDQtZ34WYhWVWWFYg7VWQ4uW+Jf8p2kacqnajY2xyU:JDQtZ34WYhWT/f8pUclMqx
                                                                                                                                                        MD5:EB6F7AF7EED6AA9AB03495B62FD3563F
                                                                                                                                                        SHA1:5A60EEBE67ED90F3171970F8339E1404CA1BB311
                                                                                                                                                        SHA-256:148ADEF6A34269E403BB509F9D5260ABE52F413A6C268E8BD9869841D5F2BD02
                                                                                                                                                        SHA-512:A9961212B40EFC12FD1AB3CC6551C97C987E73B6E409C9AB8A5E1B24542F9E5884811F06883BD31D2585219C4F60C30DE2D188788513C01B6CBFE22D539D7875
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...\@,............!......................... ...............................0.......l....@......................... ...v............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\@,.........9...T...T.......\@,.........d...............\@,.........$...........RSDS......4.>{{..S.u....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg... ...v....edata... ..`....rsrc$01....` .......rsrc$02.... .........4.>{{..S.usFA..a...c./\@,.............\@,.....................H...........0...r...............?...w...............F...................D...w.......V...............,...[...............-...h...............0...a...........................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-core-timezone-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.859698838321107
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:FPWYhW5WWFYg7VWQ4eWxSwPGux5DqnajuyVp:FPWYhW3+Dligp
                                                                                                                                                        MD5:86421619DAD87870E5F3CC0BEB1F7963
                                                                                                                                                        SHA1:2F0FE3EB94FA90577846D49C03C4FD08EF9D3FB2
                                                                                                                                                        SHA-256:64ECCD818F6FFC13F57A2EC5CA358B401FFBB1CA13B0C523D479EF5EE9EB44AB
                                                                                                                                                        SHA-512:DBCE9904DD5A403A5A69E528EE1179CC5FAAB1361715A29B1A0DE0CD33AD3AE9C9D5620DAFB161FDA86CB27909D001BE8955940FD051077FFE6F3FF82357AD31
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....A............!......................... ...............................0............@......................... ...E............ ...................!..............T............................................................................text...e........................... ..`.rsrc........ ......................@..@......A.........<...T...T.........A.........d.................A.........$...........RSDS,..[..e.;:.d.N....api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ...E....edata... ..`....rsrc$01....` .......rsrc$02.... ...,..[..e.;:.d.NG0...g.@)....A...............A.....................H...|...........J...........%...c...............Y...........:.......5...h...........E...............9.........................................api-ms-win-core-timezone-l1-1-

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-convert-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):15304
                                                                                                                                                        Entropy (8bit):6.565748840552441
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:YM0wd8dc9cydWYhWtWWFYg7VWQ4eWydY8p2kacqnajYWx:B0wd8xydWYhWrjY8pUclMK
                                                                                                                                                        MD5:88F89D0F2BD5748ED1AF75889E715E6A
                                                                                                                                                        SHA1:8ADA489B9FF33530A3FB7161CC07B5B11DFB8909
                                                                                                                                                        SHA-256:02C78781BF6CC5F22A0ECEDC3847BFD20BED4065AC028C386D063DC2318C33CC
                                                                                                                                                        SHA-512:1F5A00284CA1D6DC6AE2DFCE306FEBFA6D7D71D421583E4CE6890389334C2D98291E98E992B58136F5D1A41590553E3AD42FB362247AE8ADF60E33397AFBB5DF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!.........................0...............................@.......r....@.........................0................0...................!..............T............................................................................text............................... ..`.rsrc........0......................@..@v...............................:...d...d...................d...........................$...........RSDS.1.....5..MD....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ....1.....5..MD T=...Z.9.X.................................z...z...X...@...(...H...c...~...........................7...Q...n.............................../...J...e...............................#...:...U...r...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-environment-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.761525250479804
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:CKNMWYhWtWWFYg7VWQ4eWSwRrHN8xqnajFW:CKNMWYhWrYHMlZW
                                                                                                                                                        MD5:0979785E3EF8137CDD47C797ADCB96E3
                                                                                                                                                        SHA1:4051C6EB37A4C0DBA47B58301E63DF76BFF347DD
                                                                                                                                                        SHA-256:D5164AECDE4523FFA2DCFD0315B49428AC220013132AD48422A8EA4CA2361257
                                                                                                                                                        SHA-512:E369BC53BABD327F5D1B9833C0B8D6C7E121072AD81D4BA1FB3E2679F161FB6A9FA2FCA0DF0BAC532FD439BEB0D754583582D1DBFECCF2D38CC4F3BDCA39B52D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....][...........!......................... ...............................0............@.........................0..."............ ...................!..............T............................................................................text...R........................... ..`.rsrc........ ......................@..@v.....................][........>...d...d.........][........d.................][........$...........RSDS.,.A..\...R..=v....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0..."....edata... ..`....rsrc$01....` .......rsrc$02.... ....,.A..\...R..=v....N..{?M8d..][..........][....................X...........?...c...........................7...S...o.......................'...@...2...U...z...........................I...f....................... ...7...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-filesystem-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13248
                                                                                                                                                        Entropy (8bit):6.8050900373153675
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:BGnWlC0i5ClWYhWCWWFYg7VWQ4SWg896Tem8p2kacqnajYPxw:cnWm5ClWYhWyld8pUclMpw
                                                                                                                                                        MD5:A1B6CEBD3D7A8B25B9A9CBC18D03A00C
                                                                                                                                                        SHA1:5516DE099C49E0E6D1224286C3DC9B4D7985E913
                                                                                                                                                        SHA-256:162CCF78FA5A4A2EE380F72FBD54D17A73C929A76F6E3659F537FA8F42602362
                                                                                                                                                        SHA-512:A322FB09E6FAAFF0DAABB4F0284E4E90CCACFF27161DBFD77D39A9A93DBF30069B9D86BF15A07FC2006A55AF2C35CD8EA544895C93E2E1697C51F2DAFAD5A9D7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!......................... ...............................0............@.........................0................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...............................=...d...d...................d...........................$...........RSDS...gK6.....T[.;....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ......gK6.....T[.;2.>.Wf:Y)t.............................A...A...X...\...`.......*...D...]...v...................$...I...m.......................0...O...o.......................%...<...W...x...........................8...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-heap-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):12232
                                                                                                                                                        Entropy (8bit):6.72993280581241
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:h7aY17aFBRAWYhW4WWFYg7VWQ4eW1R7N8xqnajFzL:J9WYhWYy7MlZ
                                                                                                                                                        MD5:A6A9DFB31BE2510F6DBFEDD476C6D15A
                                                                                                                                                        SHA1:CDB6D8BD1FBD1C71D85437CFF55DDEB76139DBE7
                                                                                                                                                        SHA-256:150D32B77B2D7F49C8D4F44B64A90D7A0F9DF0874A80FC925DAF298B038A8E4C
                                                                                                                                                        SHA-512:B4F0E8FA148FAC8A94E04BF4B44F2A26221D943CC399E7F48745ED46E8B58C52D9126110CDF868EBB723423FB0E304983D24FE6608D3757A43AD741BDDB3B7EC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.................!......................... ...............................0......(.....@.........................0................ ...................!..............T............................................................................text...F........................... ..`.rsrc........ ......................@..@v..............................7...d...d..................d..........................$...........RSDSa;PZ.1......."......api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ...a;PZ.1......."..f.p.r.7....C..........................f...............X.......0...................I...................'...E...a...........................@...l...........................5...................1...j...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-locale-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.869160264874051
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:iWYhWFGWWFYg7VWQ4eWd3BSB8p2kacqnajYu4x:iWYhWkWxSB8pUclMuY
                                                                                                                                                        MD5:50B721A0C945ABE3EDCA6BCEE2A70C6C
                                                                                                                                                        SHA1:F35B3157818D4A5AF3486B5E2E70BB510AC05EFF
                                                                                                                                                        SHA-256:DB495C7C4AD2072D09B2D4506B3A50F04487AD8B27D656685EA3FA5D9653A21D
                                                                                                                                                        SHA-512:EF2F6D28D01A5BAD7C494851077D52F22A11514548C287E513F4820C23F90020A0032E2DA16CC170AE80897AE45FC82BFFC9D18AFB2AE1A7B1DA6EEF56240840
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....JI...........!......................... ...............................0......'4....@.........................0...e............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v.....................JI........9...d...d.........JI........d.................JI........$...........RSDS$.,...E.b..,...g....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0...e....edata... ..`....rsrc$01....` .......rsrc$02.... ...$.,...E.b..,...g.>]......S....JI..............JI.... ...............X...........U..............."...e...................D...n.......................D...d.......A...r...............@...................7...Z...................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-math-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21960
                                                                                                                                                        Entropy (8bit):6.271316004393454
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:nt1MCbM4Oe5grykfIgTmLSWYhWZjMlZi:t6gMq5grxfInsYL
                                                                                                                                                        MD5:461D5AF3277EFB5F000B9DF826581B80
                                                                                                                                                        SHA1:935B00C88C2065F98746E2B4353D4369216F1812
                                                                                                                                                        SHA-256:F9CE464B89DD8EA1D5E0B852369FE3A8322B4B9860E5AE401C9A3B797AED17BF
                                                                                                                                                        SHA-512:229BF31A1DE1E84CF238A0DFE0C3A13FEE86DA94D611FBC8FDB65086DEE6A8B1A6BA37C44C5826C3D8CFA120D0FBA9E690D31C5B4E73F98C8362B98BE1EE9600
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....T.>...........!.........................@...............................P............@.........................0....+...........@...............4...!..............T............................................................................text....-.......................... ..`.rsrc........@.......0..............@..@v....................T.>........7...d...d........T.>........d................T.>........$...........RSDS....1...9......E....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0....+...edata...@..`....rsrc$01....`@.......rsrc$02.... .......1...9......E...s.......T.>.................T.>............:...:...X...@...(...................(...@...X...p...............................2...K...d...}.................... ... ..A ..m ... ... ... ...!..J!..u!...!...!...!..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-runtime-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):15808
                                                                                                                                                        Entropy (8bit):6.594537759210963
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:nJB0fhrpIhhf4AN5/jiTWYhWjWWFYg7VWQ4uWT67dEO8p2kacqnajYvxfyfA:n0hrKIWYhWR/7F8pUclMJfz
                                                                                                                                                        MD5:4F06DA894EA013A5E18B8B84A9836D5A
                                                                                                                                                        SHA1:40CF36E07B738AA8BBA58BC5587643326FF412A9
                                                                                                                                                        SHA-256:876BD768C8605056579DD8962E2FD7CC96306FAB5759D904E8A24E46C25BD732
                                                                                                                                                        SHA-512:1D7C0682D343416E6942547E6A449BE4654158D6A70D78AD3C7E8C2B39C296C9406013A3CFE84D1AE8608F19BEE1D4F346D26576D7ED56456EEA39D5D7200F79
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....2.O...........!.........................0...............................@......X.....@.........................0................0...................!..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................2.O........:...d...d........2.O........d................2.O........$...........RSDS.:.....1../..$.*....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ....:.....1../..$.*j`Y..+J......2.O.............2.O............k...k...X...........................6...T...s.......................>...e.......................+...I...n.......................F...e...................&...G...d...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-stdio-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):17352
                                                                                                                                                        Entropy (8bit):6.499657236461651
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:exUO+1pPLNPjFuWYFxEpahTWYhWWWWFYg7VWQ4eWNuvwN8xqnajFD:exUX119OFVhTWYhW2bwMlZ
                                                                                                                                                        MD5:5765103E1F5412C43295BD752CCAEA03
                                                                                                                                                        SHA1:6913BF1624599E55680A0292E22C89CAB559DB81
                                                                                                                                                        SHA-256:8F7ACE43040FA86E972CC74649D3E643D21E4CAD6CB86BA78D4C059ED35D95E4
                                                                                                                                                        SHA-512:5844AC30BC73B7FFBA75016ABEFB8A339E2F2822FC6E1441F33F70B6EB7114F828167DFC34527B0FB5460768C4DE7250C655BC56EFD8BA03115CD2DD6F6C91C0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...I.o?...........!.........................0...............................@......O.....@.........................0...a............0..............."...!..............T............................................................................text............................... ..`.rsrc........0......................@..@v...................I.o?........8...d...d.......I.o?........d...............I.o?........$...........RSDS.../L...{;[3.m5.....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg...0...a....edata...0..`....rsrc$01....`0.......rsrc$02.... ....../L...{;[3.m5.4.W.6.......I.o?................I.o?....................X.......P...............1...l...............Y...............P...............?...x...........0...Y...t...............................;...^...................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-string-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):17864
                                                                                                                                                        Entropy (8bit):6.382738607708961
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:9FvU4x0C5yguNvZ5VQgx3SbwA7yMVIkFGl/WYhWl76tW8pUclMgp:j5yguNvZ5VQgx3SbwA71IkFw5W8pUq
                                                                                                                                                        MD5:F364190706414020C02CF4D531E0229D
                                                                                                                                                        SHA1:5899230B0D7AD96121C3BE0DF99235DDD8A47DC6
                                                                                                                                                        SHA-256:A797C0D43A52E7C8205397225AC931638D73B567683F38DD803195DA9D34EAC2
                                                                                                                                                        SHA-512:A9C8ABBD846AB55942F440E905D1F3864B82257B8DAA44C784B1997A060DE0C0439ECC25A2193032D4D85191535E9253E435DEED23BDF3D3CB48C4209005A02E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....J.............!.........................0...............................@......cb....@.........................0................0...............$...!..............T............................................................................text............................... ..`.rsrc........0....... ..............@..@v....................J..........9...d...d........J..........d................J..........$...........RSDS...mL..w.z....A....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ......mL..w.z....A.OQ..N..(...J...............J......L...............X... .......w.......................%...C...b...........................:...\...{.......................:...[...{.......................@...a...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-time-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13760
                                                                                                                                                        Entropy (8bit):6.681985886172717
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:g3sy5NDSWYhWmVWWFYg7VWQ4uWOpxCN8xqnajFs:LU0WYhWmTLaMlZs
                                                                                                                                                        MD5:D0B6A2CAEC62F5477E4E36B991563041
                                                                                                                                                        SHA1:8396E1E02DACE6AE4DDE33B3E432A3581BC38F5D
                                                                                                                                                        SHA-256:FD44D833EA40D50981B3151535618EB57B5513ED824A9963251D07ABFF2BAEDF
                                                                                                                                                        SHA-512:69BD6DF96DE99E6AB9C12D8A1024D20A034A7DB3E2B62E8BE7FDBC838C4E9001D2497B04209E07A5365D00366C794C31EE89B133304E475DDE5F92FDB7FCB0BC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....c!...........!......................... ...............................0...........@.........................0................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v.....................c!........7...d...d.........c!........d.................c!........$...........RSDSTi...:..L?.3".......api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ...Ti...:..L?.3"...:.}Fc........c!..................c!....(.......H...H...X...x.......P...m.......................,...J...h...........................5...V...t.......................'...K...o......................./...Q...v.......

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\api-ms-win-crt-utility-l1-1-0.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.852501651690859
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:a0I6fHQduPWYhWIWWFYg7VWQ4eW87AEp8p2kacqnajY4xnS:aIf5WYhWosEp8pUclMYnS
                                                                                                                                                        MD5:3DFB82541979A23A9DEB5FD4DCFB6B22
                                                                                                                                                        SHA1:5DA1D02B764917B38FDC34F4B41FB9A599105DD9
                                                                                                                                                        SHA-256:0CD6D0FF0FF5ECF973F545E98B68AC6038DB5494A8990C3B77B8A95B664B6FEB
                                                                                                                                                        SHA-512:F9A20B3D44D39D941FA131C3A1DB37614A2F9B2AF7260981A0F72C69F82A5326901F70A56B5F7AD65862630FCE59B02F650A132EE7ECFE2E4FC80F694483CA82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...d.............!......................... ...............................0......8.....@.........................0...^............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................d..........:...d...d.......d..........d...............d..........$...........RSDS.@.7..o..t.c.A.V....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0...^....edata... ..`....rsrc$01....` .......rsrc$02.... ....@.7..o..t.c.A.V...1.v..{U.d..............d......................X.......H..............."...C...\...u...........................!...8...K...`...{...............................'...>...T...i.......................<...S...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\crashrpt_lang.ini (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):8214
                                                                                                                                                        Entropy (8bit):3.46410018464503
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:rsw6o2KPZEOTWSucfgjfJpkiZJpkiVxoVrOSBngI3NnS0FivuiLugXeTmZ4dIc8k:wlo2K/uKFVVgOgncoW
                                                                                                                                                        MD5:771DA39B527E886A247A0C0A33FFB715
                                                                                                                                                        SHA1:CB762ABE50294A08A7823C246E02CD9347555B49
                                                                                                                                                        SHA-256:763F0FE5AF80055827FB2563AF696BD1452C39BE080720AB483D0CE6AC36EE92
                                                                                                                                                        SHA-512:628382CF8A6035275B48D6FF3CF0DC17C2B61F65E4EF0F138990A09FD0CF09A4F821E2CB5780A3FDDB49A01E3F6AF1F379ED44BEF290D39B0D04D5E110B7D9A5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.S.e.t.t.i.n.g.s.].....A.u.t.h.o.r.N.a.m.e.=.....A.u.t.h.o.r.E.m.a.i.l.=.....L.a.n.g.u.a.g.e.=.E.n.g.l.i.s.h.....R.T.L.R.e.a.d.i.n.g.=.0.....C.r.a.s.h.R.p.t.V.e.r.s.i.o.n.=.1.4.0.3.........[.M.a.i.n.D.l.g.].....D.l.g.C.a.p.t.i.o.n.=.E.r.r.o.r. .R.e.p.o.r.t.....H.e.a.d.e.r.T.e.x.t.=.%.s. .h.a.s. .s.t.o.p.p.e.d. .w.o.r.k.i.n.g.....S.u.b.H.e.a.d.e.r.T.e.x.t.=.P.l.e.a.s.e. .s.e.n.d. .u.s. .t.h.i.s. .e.r.r.o.r. .r.e.p.o.r.t. .(.%.s.). .t.o. .h.e.l.p. .f.i.x. .t.h.e. .p.r.o.b.l.e.m. .a.n.d. .i.m.p.r.o.v.e. .t.h.i.s. .s.o.f.t.w.a.r.e.......W.h.a.t.D.o.e.s.R.e.p.o.r.t.C.o.n.t.a.i.n.=.W.h.a.t. .d.o.e.s. .t.h.i.s. .r.e.p.o.r.t. .c.o.n.t.a.i.n.?.....P.r.o.v.i.d.e.A.d.d.i.t.i.o.n.a.l.I.n.f.o.=.P.r.o.v.i.d.e. .a.d.d.i.t.i.o.n.a.l. .i.n.f.o. .a.b.o.u.t. .t.h.e. .p.r.o.b.l.e.m. .(.r.e.c.o.m.m.e.n.d.e.d.).......Y.o.u.r.E.m.a.i.l.=.Y.o.u.r. .E.-.m.a.i.l.:.....D.e.s.c.r.i.b.e.P.r.o.b.l.e.m.=.D.e.s.c.r.i.b.e. .i.n. .a. .f.e.w. .w.o.r.d.s. .w.h.a.t. .y.o.u. .w.e.r.e. .d.o.i.n.g. .w.h.e.n. .t.h.e. .e.r.

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4369472
                                                                                                                                                        Entropy (8bit):6.59289267077476
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:zpf+AnvqCbjnxmf1O2zdQ93xd7JhvhGS1unYd08gEBk:Vf+6vJbjxmfkd77hGyplC
                                                                                                                                                        MD5:4AF96C036230E02407C613237F8BC9D5
                                                                                                                                                        SHA1:5D5F362E9C1D546368F7FA15C2F443351382DF6C
                                                                                                                                                        SHA-256:422E463DEEE0D63C8C99FEE0C47BBF311377D57E34E57EE72989BC4E98DC1712
                                                                                                                                                        SHA-512:0DACFE172DFEE33EBFE66AFE433B3CB73DEF74AC72179DC4D658B359A191EFEE4C074AE0FF90F2E5A8C6D38FF548507D821948ACAD2535DA8B8CCA185C3FBBFF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........jp&...u...u...u.s.u...u.~.t...u.~.t...u.~.t...u.~.t...u1{.t...uIe.t...uIe.t...uo~.t...uo~.t...u.~.t...u1{.t...u...uk..u.~.t...u.~.t"..u.~.t...u.~.u...u...u...u.~.t...uRich...u................PE..L...G..f.................R%..2.......> ......p%...@...........................B.......C...@.........................pW5.....d\5.0....@:..h...........|B.@0....>......./.T...................@./.....h./.@............p%..1...........................text....Q%......R%................. ..`.rdata...C...p%..D...V%.............@..@.data....q....7..f....7.............@....rsrc....h...@:..j....:.............@..@.reloc........>......j>.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe.BAK

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4369472
                                                                                                                                                        Entropy (8bit):6.59289267077476
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:zpf+AnvqCbjnxmf1O2zdQ93xd7JhvhGS1unYd08gEBk:Vf+6vJbjxmfkd77hGyplC
                                                                                                                                                        MD5:4AF96C036230E02407C613237F8BC9D5
                                                                                                                                                        SHA1:5D5F362E9C1D546368F7FA15C2F443351382DF6C
                                                                                                                                                        SHA-256:422E463DEEE0D63C8C99FEE0C47BBF311377D57E34E57EE72989BC4E98DC1712
                                                                                                                                                        SHA-512:0DACFE172DFEE33EBFE66AFE433B3CB73DEF74AC72179DC4D658B359A191EFEE4C074AE0FF90F2E5A8C6D38FF548507D821948ACAD2535DA8B8CCA185C3FBBFF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........jp&...u...u...u.s.u...u.~.t...u.~.t...u.~.t...u.~.t...u1{.t...uIe.t...uIe.t...uo~.t...uo~.t...u.~.t...u1{.t...u...uk..u.~.t...u.~.t"..u.~.t...u.~.u...u...u...u.~.t...uRich...u................PE..L...G..f.................R%..2.......> ......p%...@...........................B.......C...@.........................pW5.....d\5.0....@:..h...........|B.@0....>......./.T...................@./.....h./.@............p%..1...........................text....Q%......R%................. ..`.rdata...C...p%..D...V%.............@..@.data....q....7..f....7.............@....rsrc....h...@:..j....:.............@..@.reloc........>......j>.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\is-EH0TS.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):34424
                                                                                                                                                        Entropy (8bit):6.512784801153792
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:+d4mD/qs5mKxn6UhwjGqnaZjr6mlMNDuagL2qskG+FEkCelQg3Yi5skl4ehbUnf1:+d4W5mE5hYGWQ6mMC6Lkt+kl4wbUmzU
                                                                                                                                                        MD5:1DBD0059535234FC8AFCF42DAEA612CC
                                                                                                                                                        SHA1:34B9B71FC7155DCDF354107CA908490C6C7B0FE2
                                                                                                                                                        SHA-256:6ABD1EAAEC7F4F821295439DF09B79AFA30A67A9DDF6F1669A7AD83A52203340
                                                                                                                                                        SHA-512:2BC74E327F485A0EDE5788D8B175B9A0CE7FDD086DA271B2A7167C697A962C13EBA8D3A0F188BA6A0FCD168A24D5175C4D97EBA524F3890C5770F26136AF73C1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..............C.........W............................................../..........Rich...........PE..L...m.P_...........!.....8...8.......>.......P......................................."....@......................... ]..x....]..........H............p..x............T..T....................U......8U..@............P..x............................text....6.......8.................. ..`.rdata...%...P...&...<..............@..@.data................b..............@....qtmetadj............d..............@..P.rsrc...H............f..............@..@.reloc...............j..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\iconengines\qsvgicon.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):34424
                                                                                                                                                        Entropy (8bit):6.512784801153792
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:+d4mD/qs5mKxn6UhwjGqnaZjr6mlMNDuagL2qskG+FEkCelQg3Yi5skl4ehbUnf1:+d4W5mE5hYGWQ6mMC6Lkt+kl4wbUmzU
                                                                                                                                                        MD5:1DBD0059535234FC8AFCF42DAEA612CC
                                                                                                                                                        SHA1:34B9B71FC7155DCDF354107CA908490C6C7B0FE2
                                                                                                                                                        SHA-256:6ABD1EAAEC7F4F821295439DF09B79AFA30A67A9DDF6F1669A7AD83A52203340
                                                                                                                                                        SHA-512:2BC74E327F485A0EDE5788D8B175B9A0CE7FDD086DA271B2A7167C697A962C13EBA8D3A0F188BA6A0FCD168A24D5175C4D97EBA524F3890C5770F26136AF73C1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..............C.........W............................................../..........Rich...........PE..L...m.P_...........!.....8...8.......>.......P......................................."....@......................... ]..x....]..........H............p..x............T..T....................U......8U..@............P..x............................text....6.......8.................. ..`.rdata...%...P...&...<..............@..@.data................b..............@....qtmetadj............d..............@..P.rsrc...H............f..............@..@.reloc...............j..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-2PJLM.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):372344
                                                                                                                                                        Entropy (8bit):5.6433127384748865
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JxR84U9TnBEMOMiotCktRTcsLUaEL3lsVTFlX0ljFvA136zd8Za:JlUFYktRfaslPBa
                                                                                                                                                        MD5:9F170BC8DC6F9DAA3DC233EC1186EAF6
                                                                                                                                                        SHA1:D8302C6355A7280CFF6A7B6A8983774405922564
                                                                                                                                                        SHA-256:EF63A855DEB878FEA795C2F251694170ED8B98526BBADF1315FE3D7AED8994CF
                                                                                                                                                        SHA-512:3B04ED0D82AF58B0EA3ECB79E224DE09F8C6E97F53868C4C09BDD093CC1A24E25264179DAB2C708C8A662C898206DFD5E42B24B03B2E27CF1BF6F093853CD3A2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................(...........(.....(.....(.....a.......>.a.....a.....a.....a.a...a.....Rich..........................PE..L....lP_...........!................[.....................................................@..........................u..t....u..........@...............x............l..T....................m......(m..@............................................text............................... ..`.rdata..............................@..@.data...............................@....qtmetad............................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-348E9.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):352376
                                                                                                                                                        Entropy (8bit):5.7860727528475495
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:Lg13+6SXUqXxTOEVakoMDTkyJpj/i0kBHWAiSe8uA7oAQxb:EJ+oXkoMDIyXj/kZkxb
                                                                                                                                                        MD5:53B2CC16614853EC5CB2D186444326BF
                                                                                                                                                        SHA1:836075A538A34E4C68486A6CD47975948310E3AB
                                                                                                                                                        SHA-256:3D14491E4417BFB4E6F35BA9E3D5C7253F76E299CAFE7AF1EC3A75861F87C25B
                                                                                                                                                        SHA-512:2045996B4507BE517BBF5B018DE918D4BD9D716E7EBC702DCCB85BD45300D30947840A4C18B26E0BB95F803710F54DD04ABA9C71DC7B02B93BB979E0A5458BF4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.............N..........F............................................>.........."..........Rich...................PE..L...a.P_...........!.........^......h.....................................................@.............................t...4........P..@............J..x....`......p...T...................l...........@............................................text............................... ..`.rdata...........0..................@..@.data........0....... ..............@....qtmetad.....@.......$..............@..P.rsrc...@....P.......&..............@..@.reloc.......`... ...*..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-3RLDL.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):25208
                                                                                                                                                        Entropy (8bit):6.398583681156456
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:m8r/ODY4e2mVkzEkK+jmE2VxfDZFShGqOi5srQIAJ8fZ8nfePPLTTjjev:L/UY4edDkK3E2XfSGe+rXAJ8R8mz6
                                                                                                                                                        MD5:4870C4C067D38EA93FDC06AD53801BF5
                                                                                                                                                        SHA1:DE57B2B78C448CF381A8253F79972C5DF65E5B55
                                                                                                                                                        SHA-256:C564B67E2FF3BB1E4C8BF5EBC9A9E3014B28768BA27C44DCCDFD0D6686400845
                                                                                                                                                        SHA-512:1D53829CAF4E0DE0BD4A187D0F732460FD25591FE335F1E6215A936AE73A77EDB201C818394D684036297331F01BB4F6A1B9A7EDD58DC5705F4A17E05BE5876E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n............................................................V...............V.......V.......V.......V.......Rich............PE..L...P.P_...........!................V%.......0......................................"@....@.........................`<..t....<.......p..@............L..x............4..T....................5......h4..@............0...............................text............................... ..`.rdata..n....0......."..............@..@.data........P.......@..............@....qtmetad~....`.......B..............@..P.rsrc...@....p.......D..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-B31EP.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):32888
                                                                                                                                                        Entropy (8bit):6.366189239788212
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:SVzMPPFyaBJdbIr1coZjUFF6zAY2UX9uGahWN56omz8Y:SpYbe1pUFF6zAY209uGahg56BX
                                                                                                                                                        MD5:F1A96D6A6E415BC16A21C8557335B910
                                                                                                                                                        SHA1:31B67D9DBE605F2BA0276828912671FF3F520EF5
                                                                                                                                                        SHA-256:46E3E790B150F55FAB6E1509E65804D570D66603FC59CF80A3B7B1005359506D
                                                                                                                                                        SHA-512:F24615198FAE508A9AE4C75055E315F8EC46B54C5C34163AAB56A0F976FF1CC672D556036AC04980B8BE8DE5C734512E63B6E41B5576DCAFE5DD8BF697A0AEF1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o#..+B.Z+B.Z+B.Z":*Z-B.Z./.[)B.Zp*.[)B.Z./.[?B.Z./.[!B.Z./.[(B.Z.,.[.B.Z+B.ZDB.Z.,.[(B.Z.,.[*B.Z.,FZ*B.Z.,.[*B.ZRich+B.Z........................PE..L...rlP_...........!.....:...0......S@.......P....................................... ....@.........................p\..t....\..........@............j..x.......`...0T..T...................,U.......T..@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data........p.......\..............@....qtmetads............^..............@..P.rsrc...@............`..............@..@.reloc..`............d..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-C5UR9.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):26232
                                                                                                                                                        Entropy (8bit):6.256154478197342
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:HePY94fVM1Eyof7rjPDsEDw/iYnqO25QpyFJruvlnfePPLTTjgJg:+gmVMToDvDsEDw/nCCpyFJr0mzUe
                                                                                                                                                        MD5:AC337E90E882E1C887212DB18F667BB5
                                                                                                                                                        SHA1:A0668F44E8A16AE723FCB3011646671D57C61AA1
                                                                                                                                                        SHA-256:EC69599D23D138476342255C204564BE8117B33730AE84E29063D5E2ACA1AC52
                                                                                                                                                        SHA-512:75BB921FAE0BB7685D2EBE6B296600A3066E790C5FF22C1631BEC260A7848CEA211A41A2F8DE2A8283770692934A6EDE6F908BB60EE53C34D97E39F7A68B6847
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5..5..5..MN..5.?X..5..]..5.?X..5.?X..5.?X..5.v[..5..5..5.v[..5.v[..5.v["..5.v[..5.Rich.5.........PE..L...W.P_...........!.........2.......$.......0............................................@.........................0?..t....?.......p..@............P..x............5..T....................6.......6..@............0...............................text............................... ..`.rdata.......0... ..."..............@..@.data...L....P.......B..............@....qtmetadu....`.......D..............@..P.rsrc...@....p.......F..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-EOFBO.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):411256
                                                                                                                                                        Entropy (8bit):6.716767399938534
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:HtXD8S+5nDJFnhVGJtdZNcGAwiDXL0rUwffzNk:HtXgS+5nDzatdZ6giD7cDG
                                                                                                                                                        MD5:4B915730082C48A5F7A6D38B86F8DB6D
                                                                                                                                                        SHA1:7048BF42D2302C8B996A6FDEA9B1F335D8C15DBE
                                                                                                                                                        SHA-256:9C426A25A9966A48E1DA323924F2DFE2BEFFC2D59A09CE94BD58C26C724C5AE8
                                                                                                                                                        SHA-512:79C83802F0A660D3BD5D70A7EAF90D57F717C76603CFE7A04FAB4E1F54C1ABCFDD05E0FABAAEB19F10816A30C3B58751C506DE8BE3FF662FA6B9BF77D2E44F52
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Cf."..."..."...Z..."..jO..."...J..."..jO..."..jO..."..jO..."..#L..."..."..+"..#L..."..#L..."..#L..."..#L..."..#L..."..Rich."..........PE..L...n.P_...........!.....^..........Zf.......p............................................@.............................t............P..@............0..x....`...$......T...........................(...@............p..L............................text....].......^.................. ..`.rdata..t....p.......b..............@..@.data...L ..........................@....qtmetadv....@......................@..P.rsrc...@....P......................@..@.reloc...$...`...&..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-H3B6T.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):30840
                                                                                                                                                        Entropy (8bit):6.474092660799376
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:s24GEcF4Bv6MyBgPE3+bTZAvACXCZ6asJgLmzg:nEjR6Myms3+bTZAvAuCZ6asJX0
                                                                                                                                                        MD5:B8AB77896FD026607CB69449D46542A0
                                                                                                                                                        SHA1:E6EC0433F2100AE3D10F4CA63AE1BF150216D9C2
                                                                                                                                                        SHA-256:4B7E2FB1B656840AB2CBBF6F7208A5A52CFB63B8725FB19807EB28CBEA822DCA
                                                                                                                                                        SHA-512:6BBB5D654707D6A67631A68A013D88071240511831C731A7FACBFA41FE678D6DCBDFE76B7BDADA5860EC176FC5DED12CABEE045EE28BE90975C11B66C97E48C5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:x7.~.Y.~.Y.~.Y.wa.z.Y..tX.|.Y.%qX.|.Y..t\.k.Y..t].t.Y..tZ.|.Y..wX.{.Y.~.X...Y..w\.}.Y..wY...Y..w....Y..w[...Y.Rich~.Y.................PE..L...vlP_...........!.........4.......5.......@...........................................@.........................`M..t....M..........@............b..x............D..T....................E.......D..@............@...............................text...t-.......................... ..`.rdata...!...@..."...2..............@..@.data........p.......T..............@....qtmetad.............V..............@..P.rsrc...@............X..............@..@.reloc...............\..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-IUBHJ.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):39544
                                                                                                                                                        Entropy (8bit):6.5005630896773186
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:TJVI8DaIhOSb/uqJUDPSfEGlQaMuAS3DJJEwmrmz0i2:TJUYOSTJ1EGlQbuAiDJJEwmSf2
                                                                                                                                                        MD5:FC8F392DFC984A517C2EFFCD06396AE0
                                                                                                                                                        SHA1:E8FBA2260BB2266623F7D36DAA6A20AA131EA693
                                                                                                                                                        SHA-256:79A566A4C494393BDEC6D7FDF9B513A0F565C0E3EF7315CF1C0D31411147DAAB
                                                                                                                                                        SHA-512:E6DB039B5F790562B99BFC00802EDAC95AF0C9F46C7B08E43C6F07C0971E7D405B2218AA868BF66F4D249A3A258CF8FC97FA54A18168F30D44AAAC5BED19EB25
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.~.:....>..g..>..../....6....>....9..<......>....=.....=....=..Rich<..........PE..L...b.P_...........!.....B...D......%H.......`.......................................F....@..........................q..t...dr..........@...............x............i..T....................j.......i..@............`..<............................text....@.......B.................. ..`.rdata..L(...`...*...F..............@..@.data................p..............@....qtmetadx............v..............@..P.rsrc...@............x..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\is-K7OKT.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):27256
                                                                                                                                                        Entropy (8bit):6.273902321527826
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:6V5a4Yxx3TRZIrDl5d+jcEeM5uTojmzgA:Z4Yxx3N6rDl5d+jcRM5uTb8A
                                                                                                                                                        MD5:CBAACC4FBCBAEDECF89A193D4923BEAF
                                                                                                                                                        SHA1:B709E2412ACE8BD1D9911E9C02406130AEC2E3DC
                                                                                                                                                        SHA-256:70800F7EE34A249FB33B4A1A108439F364DF6AB7C12DBAAE065F14D8835F5DF5
                                                                                                                                                        SHA-512:D93FA250E24631F28D5F7FDFFE0CBF2D3E8BE80FE49DA386EE8B15780DF72B6A69A3229652CAE9F905C5AAE6D9EDD63AD6175261DCE89FFE79B1B97A7886E618
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..............B.........W.........................................................Rich...........PE..L...j.P_...........!..... ...4.......%.......0.......................................F....@..........................<..t...D=..........@............T..x............4..T....................5.......4..@............0...............................text...$........ .................. ..`.rdata..X ...0..."...$..............@..@.data........`.......F..............@....qtmetad.....p.......H..............@..P.rsrc...@............J..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qgif.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):32888
                                                                                                                                                        Entropy (8bit):6.366189239788212
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:SVzMPPFyaBJdbIr1coZjUFF6zAY2UX9uGahWN56omz8Y:SpYbe1pUFF6zAY209uGahg56BX
                                                                                                                                                        MD5:F1A96D6A6E415BC16A21C8557335B910
                                                                                                                                                        SHA1:31B67D9DBE605F2BA0276828912671FF3F520EF5
                                                                                                                                                        SHA-256:46E3E790B150F55FAB6E1509E65804D570D66603FC59CF80A3B7B1005359506D
                                                                                                                                                        SHA-512:F24615198FAE508A9AE4C75055E315F8EC46B54C5C34163AAB56A0F976FF1CC672D556036AC04980B8BE8DE5C734512E63B6E41B5576DCAFE5DD8BF697A0AEF1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o#..+B.Z+B.Z+B.Z":*Z-B.Z./.[)B.Zp*.[)B.Z./.[?B.Z./.[!B.Z./.[(B.Z.,.[.B.Z+B.ZDB.Z.,.[(B.Z.,.[*B.Z.,FZ*B.Z.,.[*B.ZRich+B.Z........................PE..L...rlP_...........!.....:...0......S@.......P....................................... ....@.........................p\..t....\..........@............j..x.......`...0T..T...................,U.......T..@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data........p.......\..............@....qtmetads............^..............@..P.rsrc...@............`..............@..@.reloc..`............d..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qicns.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):39544
                                                                                                                                                        Entropy (8bit):6.5005630896773186
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:TJVI8DaIhOSb/uqJUDPSfEGlQaMuAS3DJJEwmrmz0i2:TJUYOSTJ1EGlQbuAiDJJEwmSf2
                                                                                                                                                        MD5:FC8F392DFC984A517C2EFFCD06396AE0
                                                                                                                                                        SHA1:E8FBA2260BB2266623F7D36DAA6A20AA131EA693
                                                                                                                                                        SHA-256:79A566A4C494393BDEC6D7FDF9B513A0F565C0E3EF7315CF1C0D31411147DAAB
                                                                                                                                                        SHA-512:E6DB039B5F790562B99BFC00802EDAC95AF0C9F46C7B08E43C6F07C0971E7D405B2218AA868BF66F4D249A3A258CF8FC97FA54A18168F30D44AAAC5BED19EB25
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.~.:....>..g..>..../....6....>....9..<......>....=.....=....=..Rich<..........PE..L...b.P_...........!.....B...D......%H.......`.......................................F....@..........................q..t...dr..........@...............x............i..T....................j.......i..@............`..<............................text....@.......B.................. ..`.rdata..L(...`...*...F..............@..@.data................p..............@....qtmetadx............v..............@..P.rsrc...@............x..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qico.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):30840
                                                                                                                                                        Entropy (8bit):6.474092660799376
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:s24GEcF4Bv6MyBgPE3+bTZAvACXCZ6asJgLmzg:nEjR6Myms3+bTZAvAuCZ6asJX0
                                                                                                                                                        MD5:B8AB77896FD026607CB69449D46542A0
                                                                                                                                                        SHA1:E6EC0433F2100AE3D10F4CA63AE1BF150216D9C2
                                                                                                                                                        SHA-256:4B7E2FB1B656840AB2CBBF6F7208A5A52CFB63B8725FB19807EB28CBEA822DCA
                                                                                                                                                        SHA-512:6BBB5D654707D6A67631A68A013D88071240511831C731A7FACBFA41FE678D6DCBDFE76B7BDADA5860EC176FC5DED12CABEE045EE28BE90975C11B66C97E48C5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:x7.~.Y.~.Y.~.Y.wa.z.Y..tX.|.Y.%qX.|.Y..t\.k.Y..t].t.Y..tZ.|.Y..wX.{.Y.~.X...Y..w\.}.Y..wY...Y..w....Y..w[...Y.Rich~.Y.................PE..L...vlP_...........!.........4.......5.......@...........................................@.........................`M..t....M..........@............b..x............D..T....................E.......D..@............@...............................text...t-.......................... ..`.rdata...!...@..."...2..............@..@.data........p.......T..............@....qtmetad.............V..............@..P.rsrc...@............X..............@..@.reloc...............\..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qjpeg.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):372344
                                                                                                                                                        Entropy (8bit):5.6433127384748865
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JxR84U9TnBEMOMiotCktRTcsLUaEL3lsVTFlX0ljFvA136zd8Za:JlUFYktRfaslPBa
                                                                                                                                                        MD5:9F170BC8DC6F9DAA3DC233EC1186EAF6
                                                                                                                                                        SHA1:D8302C6355A7280CFF6A7B6A8983774405922564
                                                                                                                                                        SHA-256:EF63A855DEB878FEA795C2F251694170ED8B98526BBADF1315FE3D7AED8994CF
                                                                                                                                                        SHA-512:3B04ED0D82AF58B0EA3ECB79E224DE09F8C6E97F53868C4C09BDD093CC1A24E25264179DAB2C708C8A662C898206DFD5E42B24B03B2E27CF1BF6F093853CD3A2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................(...........(.....(.....(.....a.......>.a.....a.....a.....a.a...a.....Rich..........................PE..L....lP_...........!................[.....................................................@..........................u..t....u..........@...............x............l..T....................m......(m..@............................................text............................... ..`.rdata..............................@..@.data...............................@....qtmetad............................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qsvg.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):27256
                                                                                                                                                        Entropy (8bit):6.273902321527826
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:6V5a4Yxx3TRZIrDl5d+jcEeM5uTojmzgA:Z4Yxx3N6rDl5d+jcRM5uTb8A
                                                                                                                                                        MD5:CBAACC4FBCBAEDECF89A193D4923BEAF
                                                                                                                                                        SHA1:B709E2412ACE8BD1D9911E9C02406130AEC2E3DC
                                                                                                                                                        SHA-256:70800F7EE34A249FB33B4A1A108439F364DF6AB7C12DBAAE065F14D8835F5DF5
                                                                                                                                                        SHA-512:D93FA250E24631F28D5F7FDFFE0CBF2D3E8BE80FE49DA386EE8B15780DF72B6A69A3229652CAE9F905C5AAE6D9EDD63AD6175261DCE89FFE79B1B97A7886E618
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..............B.........W.........................................................Rich...........PE..L...j.P_...........!..... ...4.......%.......0.......................................F....@..........................<..t...D=..........@............T..x............4..T....................5.......4..@............0...............................text...$........ .................. ..`.rdata..X ...0..."...$..............@..@.data........`.......F..............@....qtmetad.....p.......H..............@..P.rsrc...@............J..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtga.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):26232
                                                                                                                                                        Entropy (8bit):6.256154478197342
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:HePY94fVM1Eyof7rjPDsEDw/iYnqO25QpyFJruvlnfePPLTTjgJg:+gmVMToDvDsEDw/nCCpyFJr0mzUe
                                                                                                                                                        MD5:AC337E90E882E1C887212DB18F667BB5
                                                                                                                                                        SHA1:A0668F44E8A16AE723FCB3011646671D57C61AA1
                                                                                                                                                        SHA-256:EC69599D23D138476342255C204564BE8117B33730AE84E29063D5E2ACA1AC52
                                                                                                                                                        SHA-512:75BB921FAE0BB7685D2EBE6B296600A3066E790C5FF22C1631BEC260A7848CEA211A41A2F8DE2A8283770692934A6EDE6F908BB60EE53C34D97E39F7A68B6847
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5..5..5..MN..5.?X..5..]..5.?X..5.?X..5.?X..5.v[..5..5..5.v[..5.v[..5.v["..5.v[..5.Rich.5.........PE..L...W.P_...........!.........2.......$.......0............................................@.........................0?..t....?.......p..@............P..x............5..T....................6.......6..@............0...............................text............................... ..`.rdata.......0... ..."..............@..@.data...L....P.......B..............@....qtmetadu....`.......D..............@..P.rsrc...@....p.......F..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qtiff.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):352376
                                                                                                                                                        Entropy (8bit):5.7860727528475495
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:Lg13+6SXUqXxTOEVakoMDTkyJpj/i0kBHWAiSe8uA7oAQxb:EJ+oXkoMDIyXj/kZkxb
                                                                                                                                                        MD5:53B2CC16614853EC5CB2D186444326BF
                                                                                                                                                        SHA1:836075A538A34E4C68486A6CD47975948310E3AB
                                                                                                                                                        SHA-256:3D14491E4417BFB4E6F35BA9E3D5C7253F76E299CAFE7AF1EC3A75861F87C25B
                                                                                                                                                        SHA-512:2045996B4507BE517BBF5B018DE918D4BD9D716E7EBC702DCCB85BD45300D30947840A4C18B26E0BB95F803710F54DD04ABA9C71DC7B02B93BB979E0A5458BF4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.............N..........F............................................>.........."..........Rich...................PE..L...a.P_...........!.........^......h.....................................................@.............................t...4........P..@............J..x....`......p...T...................l...........@............................................text............................... ..`.rdata...........0..................@..@.data........0....... ..............@....qtmetad.....@.......$..............@..P.rsrc...@....P.......&..............@..@.reloc.......`... ...*..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwbmp.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):25208
                                                                                                                                                        Entropy (8bit):6.398583681156456
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:m8r/ODY4e2mVkzEkK+jmE2VxfDZFShGqOi5srQIAJ8fZ8nfePPLTTjjev:L/UY4edDkK3E2XfSGe+rXAJ8R8mz6
                                                                                                                                                        MD5:4870C4C067D38EA93FDC06AD53801BF5
                                                                                                                                                        SHA1:DE57B2B78C448CF381A8253F79972C5DF65E5B55
                                                                                                                                                        SHA-256:C564B67E2FF3BB1E4C8BF5EBC9A9E3014B28768BA27C44DCCDFD0D6686400845
                                                                                                                                                        SHA-512:1D53829CAF4E0DE0BD4A187D0F732460FD25591FE335F1E6215A936AE73A77EDB201C818394D684036297331F01BB4F6A1B9A7EDD58DC5705F4A17E05BE5876E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n............................................................V...............V.......V.......V.......V.......Rich............PE..L...P.P_...........!................V%.......0......................................"@....@.........................`<..t....<.......p..@............L..x............4..T....................5......h4..@............0...............................text............................... ..`.rdata..n....0......."..............@..@.data........P.......@..............@....qtmetad~....`.......B..............@..P.rsrc...@....p.......D..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\imageformats\qwebp.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):411256
                                                                                                                                                        Entropy (8bit):6.716767399938534
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:HtXD8S+5nDJFnhVGJtdZNcGAwiDXL0rUwffzNk:HtXgS+5nDzatdZ6giD7cDG
                                                                                                                                                        MD5:4B915730082C48A5F7A6D38B86F8DB6D
                                                                                                                                                        SHA1:7048BF42D2302C8B996A6FDEA9B1F335D8C15DBE
                                                                                                                                                        SHA-256:9C426A25A9966A48E1DA323924F2DFE2BEFFC2D59A09CE94BD58C26C724C5AE8
                                                                                                                                                        SHA-512:79C83802F0A660D3BD5D70A7EAF90D57F717C76603CFE7A04FAB4E1F54C1ABCFDD05E0FABAAEB19F10816A30C3B58751C506DE8BE3FF662FA6B9BF77D2E44F52
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Cf."..."..."...Z..."..jO..."...J..."..jO..."..jO..."..jO..."..#L..."..."..+"..#L..."..#L..."..#L..."..#L..."..#L..."..Rich."..........PE..L...n.P_...........!.....^..........Zf.......p............................................@.............................t............P..@............0..x....`...$......T...........................(...@............p..L............................text....].......^.................. ..`.rdata..t....p.......b..............@..@.data...L ..........................@....qtmetadv....@......................@..P.rsrc...@....P......................@..@.reloc...$...`...&..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-045QH.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.859698838321107
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:FPWYhW5WWFYg7VWQ4eWxSwPGux5DqnajuyVp:FPWYhW3+Dligp
                                                                                                                                                        MD5:86421619DAD87870E5F3CC0BEB1F7963
                                                                                                                                                        SHA1:2F0FE3EB94FA90577846D49C03C4FD08EF9D3FB2
                                                                                                                                                        SHA-256:64ECCD818F6FFC13F57A2EC5CA358B401FFBB1CA13B0C523D479EF5EE9EB44AB
                                                                                                                                                        SHA-512:DBCE9904DD5A403A5A69E528EE1179CC5FAAB1361715A29B1A0DE0CD33AD3AE9C9D5620DAFB161FDA86CB27909D001BE8955940FD051077FFE6F3FF82357AD31
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....A............!......................... ...............................0............@......................... ...E............ ...................!..............T............................................................................text...e........................... ..`.rsrc........ ......................@..@......A.........<...T...T.........A.........d.................A.........$...........RSDS,..[..e.;:.d.N....api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ...E....edata... ..`....rsrc$01....` .......rsrc$02.... ...,..[..e.;:.d.NG0...g.@)....A...............A.....................H...|...........J...........%...c...............Y...........:.......5...h...........E...............9.........................................api-ms-win-core-timezone-l1-1-

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-0J7P8.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21376
                                                                                                                                                        Entropy (8bit):6.486713548287172
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:2k0HTiHQYmjfFKyaWcw5gWUsadHRN7ya/hl3KS0nyGqU:H2iF0FK4VoySIyRU
                                                                                                                                                        MD5:56F86F08DE73C981031224CDE928DFA8
                                                                                                                                                        SHA1:C009AA8D145276ED5D1FC21F83BF004594B9793F
                                                                                                                                                        SHA-256:8906D59ED097E7B857DD19A5323CB0EAB006AF7D1F20EE233C4C86645C7F3A0B
                                                                                                                                                        SHA-512:6BCF58A60435A90ABC06334FBAE1507015F793760027F75F6696023AF2A88517DC31B87A86984A0B877384BEA73BC444A92293790FDA3420D36CFC0736E4195E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...%..%..%.8i...%....%.2.!..%.2.&..%..$..%.2.$..%.2. ..%.2.%..%.2....%.2.'..%.Rich..%.........................PE..L....m_.........."!................p........0...............................p.......)....@A.........................*..J....@..x....P...............0...#...`..p...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..p....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-0REOE.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):8214
                                                                                                                                                        Entropy (8bit):3.46410018464503
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:rsw6o2KPZEOTWSucfgjfJpkiZJpkiVxoVrOSBngI3NnS0FivuiLugXeTmZ4dIc8k:wlo2K/uKFVVgOgncoW
                                                                                                                                                        MD5:771DA39B527E886A247A0C0A33FFB715
                                                                                                                                                        SHA1:CB762ABE50294A08A7823C246E02CD9347555B49
                                                                                                                                                        SHA-256:763F0FE5AF80055827FB2563AF696BD1452C39BE080720AB483D0CE6AC36EE92
                                                                                                                                                        SHA-512:628382CF8A6035275B48D6FF3CF0DC17C2B61F65E4EF0F138990A09FD0CF09A4F821E2CB5780A3FDDB49A01E3F6AF1F379ED44BEF290D39B0D04D5E110B7D9A5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.S.e.t.t.i.n.g.s.].....A.u.t.h.o.r.N.a.m.e.=.....A.u.t.h.o.r.E.m.a.i.l.=.....L.a.n.g.u.a.g.e.=.E.n.g.l.i.s.h.....R.T.L.R.e.a.d.i.n.g.=.0.....C.r.a.s.h.R.p.t.V.e.r.s.i.o.n.=.1.4.0.3.........[.M.a.i.n.D.l.g.].....D.l.g.C.a.p.t.i.o.n.=.E.r.r.o.r. .R.e.p.o.r.t.....H.e.a.d.e.r.T.e.x.t.=.%.s. .h.a.s. .s.t.o.p.p.e.d. .w.o.r.k.i.n.g.....S.u.b.H.e.a.d.e.r.T.e.x.t.=.P.l.e.a.s.e. .s.e.n.d. .u.s. .t.h.i.s. .e.r.r.o.r. .r.e.p.o.r.t. .(.%.s.). .t.o. .h.e.l.p. .f.i.x. .t.h.e. .p.r.o.b.l.e.m. .a.n.d. .i.m.p.r.o.v.e. .t.h.i.s. .s.o.f.t.w.a.r.e.......W.h.a.t.D.o.e.s.R.e.p.o.r.t.C.o.n.t.a.i.n.=.W.h.a.t. .d.o.e.s. .t.h.i.s. .r.e.p.o.r.t. .c.o.n.t.a.i.n.?.....P.r.o.v.i.d.e.A.d.d.i.t.i.o.n.a.l.I.n.f.o.=.P.r.o.v.i.d.e. .a.d.d.i.t.i.o.n.a.l. .i.n.f.o. .a.b.o.u.t. .t.h.e. .p.r.o.b.l.e.m. .(.r.e.c.o.m.m.e.n.d.e.d.).......Y.o.u.r.E.m.a.i.l.=.Y.o.u.r. .E.-.m.a.i.l.:.....D.e.s.c.r.i.b.e.P.r.o.b.l.e.m.=.D.e.s.c.r.i.b.e. .i.n. .a. .f.e.w. .w.o.r.d.s. .w.h.a.t. .y.o.u. .w.e.r.e. .d.o.i.n.g. .w.h.e.n. .t.h.e. .e.r.

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-0VCGO.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):157208
                                                                                                                                                        Entropy (8bit):6.1934682249941115
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:zKEv+wyTqNr2Z+7UXkvrZexxuF0tBzwuXh47ht0OiJPex01d54aJ:zPv+5qB2ZwKkvrmu6tJ16lg1dRJ
                                                                                                                                                        MD5:D4DB02A96B703FDBFAD4443AB8FA504F
                                                                                                                                                        SHA1:39AD32AE327789C62FD32FCB6C1F4471F1DCE47F
                                                                                                                                                        SHA-256:21171F394862D2342F5AF507A54655B454F510D0B8800E6A4929829EB28F830E
                                                                                                                                                        SHA-512:D5FCB52ACE86D863B822E06070CF34577BC15BA19CB9CFB2D4C1C16705521E779B8B42ECD2EC9E783B06B2A89C92C259015D88E255FCFBCF19D78D2F276B4009
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a[.v...v...v...'...v...'...v...'...v...'...v.......v...v..pv...$...v...$...v...$...v...v...v...$...v..Rich.v..........PE..L.....U...........!.........h......n........................................p.......O....@..........................(..q....+.......P...............F... ...`..........8...........................8...@............................................text............................... ..`.rdata..hJ.......L..................@..@.data...0....@......................@....rsrc........P.......0..............@..@.reloc.......`.......8..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-2DG5N.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):450952
                                                                                                                                                        Entropy (8bit):6.636302273840038
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:ho0HQo+Oem3turAvbA2VOt4avcG9u5sl1nhUgiW6QR7t5s03Ooc8dHkC2esA1s:W0HQXm3turm9VOtTvc/03Ooc8dHkC2es
                                                                                                                                                        MD5:D3CE785725FFFAB73DB212D0E943A788
                                                                                                                                                        SHA1:74E8E951BE171B434C6DDC1BA7681BC15C8374BC
                                                                                                                                                        SHA-256:08A47A1B10C4BCBAAC64B49ADF4B8F19B37F5B5820416F2D83F2D71B16BB5F93
                                                                                                                                                        SHA-512:8888560DF96776C275C9CB46E379F17E709FEBBA52EEE49DBFBDB72665FF656F6242B498E5B2737FEE6CA92370361F0D853065C1A0C0382665A7015EBE1156EE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........MfA.#5A.#5A.#5./.5C.#5H.5W.#5A."5..#5.."4B.#5..'4J.#5.. 4I.#5..&4.#5..#4@.#5...5@.#5..!4@.#5RichA.#5........................PE..L....m_.........."!.....H...................`.......................................?....@A........................@....................................#......4<...y..8............................x..@......................@....................text....F.......H.................. ..`.data....(...`.......L..............@....idata...............d..............@..@.didat..4............z..............@....rsrc................|..............@..@.reloc..4<.......>..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-32IQI.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.825370088644229
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:k/DiDfIeJWYhWGWWFYg7VWQ4eWlLoCjux5Dqnajuy:JDfIeJWYhWm+PUDli
                                                                                                                                                        MD5:B5C8334A10B191031769D5DE01DF9459
                                                                                                                                                        SHA1:83A8FCC777C7E8C42FA4C59EE627BAF6CBED1969
                                                                                                                                                        SHA-256:6C27AC0542281649EC8638602FBC24F246424BA550564FC7B290B683F79E712D
                                                                                                                                                        SHA-512:59E53C515DFA2CD96182CA6539ED0EA2EBB01F5991BEB08166D1FC53576AEAAFEBBB2C5EE0CCBDAB60AE45FC6A048FFF0B5E1B8C9C26907791D31FB7E75B1F39
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L......I...........!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......I........B...T...T..........I........d..................I........$...........RSDS...W..w. ..v-.......api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ......W..w. ..v-.......Q.c.w/.Y...I.......I....................H...............M...............B...w...............>...n...............3...p...........'...f...............2...S.......................................api-ms-win-core-proc

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-33JEM.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):29308848
                                                                                                                                                        Entropy (8bit):6.429221480087082
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:393216:2KMiAG0wPidFOhuTFx0IkcUZ33uk+aEIPtD:2kzidFOSxat3uk+and
                                                                                                                                                        MD5:4C58277BCB810B7B7F07BAAAF0C4D409
                                                                                                                                                        SHA1:A64EC7B797FDABFA81EE71502C6462AFD836FFDD
                                                                                                                                                        SHA-256:26309184E7986C384AE0BECB6916240E71E139DD2FB1A031D3263B79652B1B7A
                                                                                                                                                        SHA-512:FC973BDF9778CEDB565445FBABDECFA880F6C8218C3F5279CC1F9BC400695828372F7489ED4CB9D404BC945DBF7F14964F6C0A977A4F1EB380E63CB6A8EDD1D6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........3;'.RUt.RUt.RUtC.t.RUtC.t7RUtC.t.RUt..Pu.RUt..Vu.RUt..Pu.RUt..Qu.RUt`.Qu.SUt*..t.RUt*..t.RUt.RTt.SUt`.PuLVUt`.Uu.RUte..t.RUt.R.t.RUt`.Wu.RUtRich.RUt........PE..L...,?.Y...........!.....68..`......kF.......P8.....................................}....@.........................p.j.`....j......@............... .......P..T.+.`.^.T.....................^.......^.@............P8..............................text...M58......68................. ..`.rdata..FG2..P8..H2..:8.............@..@.data....i)...j...(...j.............@....gfids..0............r..............@..@.tls......... .......v..............@..._RDATA..0....0.......x..............@..@.rsrc........@.......z..............@..@.reloc..T.+..P....+.................@..B................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-4RU8B.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.869160264874051
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:iWYhWFGWWFYg7VWQ4eWd3BSB8p2kacqnajYu4x:iWYhWkWxSB8pUclMuY
                                                                                                                                                        MD5:50B721A0C945ABE3EDCA6BCEE2A70C6C
                                                                                                                                                        SHA1:F35B3157818D4A5AF3486B5E2E70BB510AC05EFF
                                                                                                                                                        SHA-256:DB495C7C4AD2072D09B2D4506B3A50F04487AD8B27D656685EA3FA5D9653A21D
                                                                                                                                                        SHA-512:EF2F6D28D01A5BAD7C494851077D52F22A11514548C287E513F4820C23F90020A0032E2DA16CC170AE80897AE45FC82BFFC9D18AFB2AE1A7B1DA6EEF56240840
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....JI...........!......................... ...............................0......'4....@.........................0...e............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v.....................JI........9...d...d.........JI........d.................JI........$...........RSDS$.,...E.b..,...g....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0...e....edata... ..`....rsrc$01....` .......rsrc$02.... ...$.,...E.b..,...g.>]......S....JI..............JI.... ...............X...........U..............."...e...................D...n.......................D...d.......A...r...............@...................7...Z...................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-4VH3K.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13768
                                                                                                                                                        Entropy (8bit):6.798905181617243
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:6GEOMw3zdp3bwjGzue9/0jCRrndbFWYhWfRDli:6TOMwBprwjGzue9/0jCRrndbB0
                                                                                                                                                        MD5:21519F4D5F1FEA53532A0B152910EF8B
                                                                                                                                                        SHA1:7833AC2C20263C8BE42F67151F9234EB8E4A5515
                                                                                                                                                        SHA-256:5FBD69186F414D1D99AC61C9C15A57390FF21FE995E5C01F1C4E14510B6FB9B1
                                                                                                                                                        SHA-512:97211FAD4AAE2F6A6B783107938F0635C302445E74FC34A26AA386864509919C3F084E80579D2502105D9256AAB9F57EA16137C43344B1C62F64E5BC1125A417
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....f.F...........!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....f.F........@...T...T........f.F........d................f.F........$...........RSDSkR...<...L.,.>......api-ms-win-core-louserzation-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ...kR...<...L.,.>..n.N.#$..E..f.F.........f.F............;...;...H...4... ...........-...\.......................5...U...}...................A...i...................1...n...............O...................O...~...............&...O...|...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-5FD3K.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5377144
                                                                                                                                                        Entropy (8bit):6.853679063871745
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:eLlOKYcFr4K9pJsv6tWKFdu9CjvpzjgwWe:eLDrlJsv6tWKFdu9CjRvFWe
                                                                                                                                                        MD5:316FB94DA47EAC5933F3007A8CCA4356
                                                                                                                                                        SHA1:4C17A1A8E21940066BCBB5A0F09F6DA9C26039DA
                                                                                                                                                        SHA-256:0DED0E1CDB33B58CCB8FA20837EBFA9D17A9737BCEB078D0D16F3EF4AC349C5D
                                                                                                                                                        SHA-512:B791A9DC14CB852344D33A7F0DFA5C3C7AC54E50B888024E6795A9FF5372B8554E464C9AF9280289652981B58723C9E4BC72C514D3C346CD020998F67AB84D95
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........A.mC o>C o>C o>JX.>W o>.Mn?E o>..>G o>.Mj?^ o>.Mk?I o>.Ml?N o>.Hk?A o>.Hi?B o>.Hn?T o>C n>.!o>.Nk?n o>.Nj?. o>.No?B o>.N.>B o>C .>B o>.Nm?B o>RichC o>................PE..L...gkP_...........!......(...).......&.......(....g..........................R......ER...@......................... .C.H...h.K.......P...............Q.x.....P.....peA.T...................lfA......eA.@.............(..............................text...'.(.......(................. ..`.rdata..*i"...(..j"...(.............@..@.data.......@K..J...,K.............@....qtmimed......K......vK.............@..P.rsrc.........P......dP.............@..@.reloc........P......jP.............@..B........................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-5NCII.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):15304
                                                                                                                                                        Entropy (8bit):6.565748840552441
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:YM0wd8dc9cydWYhWtWWFYg7VWQ4eWydY8p2kacqnajYWx:B0wd8xydWYhWrjY8pUclMK
                                                                                                                                                        MD5:88F89D0F2BD5748ED1AF75889E715E6A
                                                                                                                                                        SHA1:8ADA489B9FF33530A3FB7161CC07B5B11DFB8909
                                                                                                                                                        SHA-256:02C78781BF6CC5F22A0ECEDC3847BFD20BED4065AC028C386D063DC2318C33CC
                                                                                                                                                        SHA-512:1F5A00284CA1D6DC6AE2DFCE306FEBFA6D7D71D421583E4CE6890389334C2D98291E98E992B58136F5D1A41590553E3AD42FB362247AE8ADF60E33397AFBB5DF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!.........................0...............................@.......r....@.........................0................0...................!..............T............................................................................text............................... ..`.rsrc........0......................@..@v...............................:...d...d...................d...........................$...........RSDS.1.....5..MD....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ....1.....5..MD T=...Z.9.X.................................z...z...X...@...(...H...c...~...........................7...Q...n.............................../...J...e...............................#...:...U...r...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-632VQ.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):433272
                                                                                                                                                        Entropy (8bit):6.406577939449063
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:VuWoR2Bwb8HHEgIjBN4SlBZr5j7E8doP+kTRzbh10rNus/vUS+B+/iSMk:VuWODb8nYBN4wBl5M8qPf3wNNmk
                                                                                                                                                        MD5:E368A66AD5114ADF1F43790AB728CED2
                                                                                                                                                        SHA1:C6E86F5B71D628B2556249CC96FDC2884B833143
                                                                                                                                                        SHA-256:5CCA88F525E8B371EB579DA114C26F1EC570157A95EB83A6CC38EA888FF400EA
                                                                                                                                                        SHA-512:D801024C78F986B00CD16E94903057B4D41B72E0C04497A50E70C7CC65F9DA54C347B46D234C26894D9FC7DE6574D5086D2B2E97E66DF0AD1F958438A109BFAF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h...,.G,.G,.G%..G*.G...F..G...F:.G...F&.G...F/.Gw..F-.Gw..F .G...F).G,.G..G...F#.G...F-.G..}G-.G,..G-.G...F-.GRich,.G................PE..L.....P_...........!.....N...t......8R.......`............................................@..........................j..09........... ..................x....0..T...@_..T...................<`......._..@............`...............................text....M.......N.................. ..`.rdata...h...`...j...R..............@..@.data....B..........................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-6PKIS.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.852501651690859
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:a0I6fHQduPWYhWIWWFYg7VWQ4eW87AEp8p2kacqnajY4xnS:aIf5WYhWosEp8pUclMYnS
                                                                                                                                                        MD5:3DFB82541979A23A9DEB5FD4DCFB6B22
                                                                                                                                                        SHA1:5DA1D02B764917B38FDC34F4B41FB9A599105DD9
                                                                                                                                                        SHA-256:0CD6D0FF0FF5ECF973F545E98B68AC6038DB5494A8990C3B77B8A95B664B6FEB
                                                                                                                                                        SHA-512:F9A20B3D44D39D941FA131C3A1DB37614A2F9B2AF7260981A0F72C69F82A5326901F70A56B5F7AD65862630FCE59B02F650A132EE7ECFE2E4FC80F694483CA82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...d.............!......................... ...............................0......8.....@.........................0...^............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................d..........:...d...d.......d..........d...............d..........$...........RSDS.@.7..o..t.c.A.V....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0...^....edata... ..`....rsrc$01....` .......rsrc$02.... ....@.7..o..t.c.A.V...1.v..{U.d..............d......................X.......H..............."...C...\...u...........................!...8...K...`...{...............................'...>...T...i.......................<...S...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-71RVD.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):17864
                                                                                                                                                        Entropy (8bit):6.382738607708961
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:9FvU4x0C5yguNvZ5VQgx3SbwA7yMVIkFGl/WYhWl76tW8pUclMgp:j5yguNvZ5VQgx3SbwA71IkFw5W8pUq
                                                                                                                                                        MD5:F364190706414020C02CF4D531E0229D
                                                                                                                                                        SHA1:5899230B0D7AD96121C3BE0DF99235DDD8A47DC6
                                                                                                                                                        SHA-256:A797C0D43A52E7C8205397225AC931638D73B567683F38DD803195DA9D34EAC2
                                                                                                                                                        SHA-512:A9C8ABBD846AB55942F440E905D1F3864B82257B8DAA44C784B1997A060DE0C0439ECC25A2193032D4D85191535E9253E435DEED23BDF3D3CB48C4209005A02E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....J.............!.........................0...............................@......cb....@.........................0................0...............$...!..............T............................................................................text............................... ..`.rsrc........0....... ..............@..@v....................J..........9...d...d........J..........d................J..........$...........RSDS...mL..w.z....A....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ......mL..w.z....A.OQ..N..(...J...............J......L...............X... .......w.......................%...C...b...........................:...\...{.......................:...[...{.......................@...a...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-7RINB.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):17352
                                                                                                                                                        Entropy (8bit):6.499657236461651
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:exUO+1pPLNPjFuWYFxEpahTWYhWWWWFYg7VWQ4eWNuvwN8xqnajFD:exUX119OFVhTWYhW2bwMlZ
                                                                                                                                                        MD5:5765103E1F5412C43295BD752CCAEA03
                                                                                                                                                        SHA1:6913BF1624599E55680A0292E22C89CAB559DB81
                                                                                                                                                        SHA-256:8F7ACE43040FA86E972CC74649D3E643D21E4CAD6CB86BA78D4C059ED35D95E4
                                                                                                                                                        SHA-512:5844AC30BC73B7FFBA75016ABEFB8A339E2F2822FC6E1441F33F70B6EB7114F828167DFC34527B0FB5460768C4DE7250C655BC56EFD8BA03115CD2DD6F6C91C0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...I.o?...........!.........................0...............................@......O.....@.........................0...a............0..............."...!..............T............................................................................text............................... ..`.rsrc........0......................@..@v...................I.o?........8...d...d.......I.o?........d...............I.o?........$...........RSDS.../L...{;[3.m5.....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg...0...a....edata...0..`....rsrc$01....`0.......rsrc$02.... ....../L...{;[3.m5.4.W.6.......I.o?................I.o?....................X.......P...............1...l...............Y...............P...............?...x...........0...Y...t...............................;...^...................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-8CTAA.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.825370088644229
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:k/DiDfIeJWYhWGWWFYg7VWQ4eWlLoCjux5Dqnajuy:JDfIeJWYhWm+PUDli
                                                                                                                                                        MD5:B5C8334A10B191031769D5DE01DF9459
                                                                                                                                                        SHA1:83A8FCC777C7E8C42FA4C59EE627BAF6CBED1969
                                                                                                                                                        SHA-256:6C27AC0542281649EC8638602FBC24F246424BA550564FC7B290B683F79E712D
                                                                                                                                                        SHA-512:59E53C515DFA2CD96182CA6539ED0EA2EBB01F5991BEB08166D1FC53576AEAAFEBBB2C5EE0CCBDAB60AE45FC6A048FFF0B5E1B8C9C26907791D31FB7E75B1F39
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L......I...........!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......I........B...T...T..........I........d..................I........$...........RSDS...W..w. ..v-.......api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ......W..w. ..v-.......Q.c.w/.Y...I.......I....................H...............M...............B...w...............>...n...............3...p...........'...f...............2...S.......................................api-ms-win-core-proc

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-9JTNT.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13248
                                                                                                                                                        Entropy (8bit):6.8050900373153675
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:BGnWlC0i5ClWYhWCWWFYg7VWQ4SWg896Tem8p2kacqnajYPxw:cnWm5ClWYhWyld8pUclMpw
                                                                                                                                                        MD5:A1B6CEBD3D7A8B25B9A9CBC18D03A00C
                                                                                                                                                        SHA1:5516DE099C49E0E6D1224286C3DC9B4D7985E913
                                                                                                                                                        SHA-256:162CCF78FA5A4A2EE380F72FBD54D17A73C929A76F6E3659F537FA8F42602362
                                                                                                                                                        SHA-512:A322FB09E6FAAFF0DAABB4F0284E4E90CCACFF27161DBFD77D39A9A93DBF30069B9D86BF15A07FC2006A55AF2C35CD8EA544895C93E2E1697C51F2DAFAD5A9D7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!......................... ...............................0............@.........................0................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...............................=...d...d...................d...........................$...........RSDS...gK6.....T[.;....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ......gK6.....T[.;2.>.Wf:Y)t.............................A...A...X...\...`.......*...D...]...v...................$...I...m.......................0...O...o.......................%...<...W...x...........................8...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-9LV8H.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13248
                                                                                                                                                        Entropy (8bit):6.8050900373153675
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:BGnWlC0i5ClWYhWCWWFYg7VWQ4SWg896Tem8p2kacqnajYPxw:cnWm5ClWYhWyld8pUclMpw
                                                                                                                                                        MD5:A1B6CEBD3D7A8B25B9A9CBC18D03A00C
                                                                                                                                                        SHA1:5516DE099C49E0E6D1224286C3DC9B4D7985E913
                                                                                                                                                        SHA-256:162CCF78FA5A4A2EE380F72FBD54D17A73C929A76F6E3659F537FA8F42602362
                                                                                                                                                        SHA-512:A322FB09E6FAAFF0DAABB4F0284E4E90CCACFF27161DBFD77D39A9A93DBF30069B9D86BF15A07FC2006A55AF2C35CD8EA544895C93E2E1697C51F2DAFAD5A9D7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!......................... ...............................0............@.........................0................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...............................=...d...d...................d...........................$...........RSDS...gK6.....T[.;....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ......gK6.....T[.;2.>.Wf:Y)t.............................A...A...X...\...`.......*...D...]...v...................$...I...m.......................0...O...o.......................%...<...W...x...........................8...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-A1NMJ.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):433272
                                                                                                                                                        Entropy (8bit):6.406577939449063
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:VuWoR2Bwb8HHEgIjBN4SlBZr5j7E8doP+kTRzbh10rNus/vUS+B+/iSMk:VuWODb8nYBN4wBl5M8qPf3wNNmk
                                                                                                                                                        MD5:E368A66AD5114ADF1F43790AB728CED2
                                                                                                                                                        SHA1:C6E86F5B71D628B2556249CC96FDC2884B833143
                                                                                                                                                        SHA-256:5CCA88F525E8B371EB579DA114C26F1EC570157A95EB83A6CC38EA888FF400EA
                                                                                                                                                        SHA-512:D801024C78F986B00CD16E94903057B4D41B72E0C04497A50E70C7CC65F9DA54C347B46D234C26894D9FC7DE6574D5086D2B2E97E66DF0AD1F958438A109BFAF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h...,.G,.G,.G%..G*.G...F..G...F:.G...F&.G...F/.Gw..F-.Gw..F .G...F).G,.G..G...F#.G...F-.G..}G-.G,..G-.G...F-.GRich,.G................PE..L.....P_...........!.....N...t......8R.......`............................................@..........................j..09........... ..................x....0..T...@_..T...................<`......._..@............`...............................text....M.......N.................. ..`.rdata...h...`...j...R..............@..@.data....B..........................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-AH44U.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.761525250479804
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:CKNMWYhWtWWFYg7VWQ4eWSwRrHN8xqnajFW:CKNMWYhWrYHMlZW
                                                                                                                                                        MD5:0979785E3EF8137CDD47C797ADCB96E3
                                                                                                                                                        SHA1:4051C6EB37A4C0DBA47B58301E63DF76BFF347DD
                                                                                                                                                        SHA-256:D5164AECDE4523FFA2DCFD0315B49428AC220013132AD48422A8EA4CA2361257
                                                                                                                                                        SHA-512:E369BC53BABD327F5D1B9833C0B8D6C7E121072AD81D4BA1FB3E2679F161FB6A9FA2FCA0DF0BAC532FD439BEB0D754583582D1DBFECCF2D38CC4F3BDCA39B52D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....][...........!......................... ...............................0............@.........................0..."............ ...................!..............T............................................................................text...R........................... ..`.rsrc........ ......................@..@v.....................][........>...d...d.........][........d.................][........$...........RSDS.,.A..\...R..=v....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0..."....edata... ..`....rsrc$01....` .......rsrc$02.... ....,.A..\...R..=v....N..{?M8d..][..........][....................X...........?...c...........................7...S...o.......................'...@...2...U...z...........................I...f....................... ...7...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-AVR5I.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4369472
                                                                                                                                                        Entropy (8bit):6.59289267077476
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:zpf+AnvqCbjnxmf1O2zdQ93xd7JhvhGS1unYd08gEBk:Vf+6vJbjxmfkd77hGyplC
                                                                                                                                                        MD5:4AF96C036230E02407C613237F8BC9D5
                                                                                                                                                        SHA1:5D5F362E9C1D546368F7FA15C2F443351382DF6C
                                                                                                                                                        SHA-256:422E463DEEE0D63C8C99FEE0C47BBF311377D57E34E57EE72989BC4E98DC1712
                                                                                                                                                        SHA-512:0DACFE172DFEE33EBFE66AFE433B3CB73DEF74AC72179DC4D658B359A191EFEE4C074AE0FF90F2E5A8C6D38FF548507D821948ACAD2535DA8B8CCA185C3FBBFF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........jp&...u...u...u.s.u...u.~.t...u.~.t...u.~.t...u.~.t...u1{.t...uIe.t...uIe.t...uo~.t...uo~.t...u.~.t...u1{.t...u...uk..u.~.t...u.~.t"..u.~.t...u.~.u...u...u...u.~.t...uRich...u................PE..L...G..f.................R%..2.......> ......p%...@...........................B.......C...@.........................pW5.....d\5.0....@:..h...........|B.@0....>......./.T...................@./.....h./.@............p%..1...........................text....Q%......R%................. ..`.rdata...C...p%..D...V%.............@..@.data....q....7..f....7.............@....rsrc....h...@:..j....:.............@..@.reloc........>......j>.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-B7R59.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):12232
                                                                                                                                                        Entropy (8bit):6.72993280581241
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:h7aY17aFBRAWYhW4WWFYg7VWQ4eW1R7N8xqnajFzL:J9WYhWYy7MlZ
                                                                                                                                                        MD5:A6A9DFB31BE2510F6DBFEDD476C6D15A
                                                                                                                                                        SHA1:CDB6D8BD1FBD1C71D85437CFF55DDEB76139DBE7
                                                                                                                                                        SHA-256:150D32B77B2D7F49C8D4F44B64A90D7A0F9DF0874A80FC925DAF298B038A8E4C
                                                                                                                                                        SHA-512:B4F0E8FA148FAC8A94E04BF4B44F2A26221D943CC399E7F48745ED46E8B58C52D9126110CDF868EBB723423FB0E304983D24FE6608D3757A43AD741BDDB3B7EC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.................!......................... ...............................0......(.....@.........................0................ ...................!..............T............................................................................text...F........................... ..`.rsrc........ ......................@..@v..............................7...d...d..................d..........................$...........RSDSa;PZ.1......."......api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ...a;PZ.1......."..f.p.r.7....C..........................f...............X.......0...................I...................'...E...a...........................@...l...........................5...................1...j...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-BH5LP.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1062520
                                                                                                                                                        Entropy (8bit):6.681028028686963
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:BqjkFWDYqDVCDIkRhMq33zROfSRW88W8mg:wcD9TEf1Wo
                                                                                                                                                        MD5:0FD8AD9B5FE25811E9FA9125E791E083
                                                                                                                                                        SHA1:680FDA9F8B4EBEE870C5DEA0E9DFEE0A918E4E5E
                                                                                                                                                        SHA-256:C9A7571426BB7D0F0939DC4D39D22329373FBD0320708EC6B99C0F516FF77D78
                                                                                                                                                        SHA-512:60899B2FD00D7AC3B34639891664F2F280FD32AF1B0ADB2DED09DB87336243BCDCD731F8D30CFFA665A2BCEAC83771622E755EDAA8DDF5889539B66ABB842E8E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........#.t;B.';B.';B.'2:Q'7B.'`*.&:B.'./.&1B.'./.&>B.'./.&"B.'./.&?B.'`*.&5B.'.,.&8B.';B.'.A.'.,.&.B.'.,.&:B.'.,=':B.';BU':B.'.,.&:B.'Rich;B.'........................PE..L....kP_...........!..... ..........<!.......0.....d.........................`......~.....@..........................$...e......T....p............... ..x...........P...T...................L...........@............0..8............................text............ .................. ..`.rdata..L....0.......$..............@..@.data....9...0......."..............@....rsrc........p.......<..............@..@.reloc...............B..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-C4NAE.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6190104
                                                                                                                                                        Entropy (8bit):7.421682960763955
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:MK+/ifzrm29tZTwpN9EVbjl4ece6GMUdaVelHxzINC75Z:X+/ibrm29tZFVvl48DueJO475Z
                                                                                                                                                        MD5:74E2784C899F1D77D6679A03D60A3D64
                                                                                                                                                        SHA1:FF43817A59C7A6964DCC8F9DB2B9A16E1FE58C3C
                                                                                                                                                        SHA-256:A9E1AF2711021486E6BCD3B6520072BC71EC8DF0D63336421286E2C4F3DB7EA8
                                                                                                                                                        SHA-512:E745DD67367588CAAE9B75919DCD370AA26647CDB172C2A0C26A709367D6E526214C7787AAA2BC317FFE6C99BB04C6117E142787A7CE936AD391F21417AF1832
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L..._4.V..................3..r*.......3.......3...@...........................^.....g.^...............................6......6.l#....:...$..........T^.. ...p7.......................................................6.t.....6.\....................text.....3.......3................. ..`.itext.. .....3.......3............. ..`.data...\?....3..@....3.............@....bss....PU...06......"6..................idata..l#....6..$..."6.............@....didata.\.....6......F6.............@....edata.......6......J6.............@..@.reloc.......p7.......6.............@..B.rsrc.....$...:...$..t9.............@..@..............^......T^.............@..@................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-CJEQM.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5929592
                                                                                                                                                        Entropy (8bit):6.794857574868927
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:7XWX+slNUrE5ZiXVSTsxkHDl3HHx4oRZ0ggBEFslA6A5ORbkVIa+r8ZJU/tNN4gG:752gcsxUl3HN0VUVCr8Ib6mLV9+
                                                                                                                                                        MD5:253C8B17A1476DC182C31B75E98B6A0E
                                                                                                                                                        SHA1:49A511A017EE77FFAC72AF8B007C67C9F6637D53
                                                                                                                                                        SHA-256:55B26B1236A79A6985DC9B6114DD227F5DFF06D6932223DDA02D9ED95968B779
                                                                                                                                                        SHA-512:A5110FDB18DA6D87641B0299EA947F149030B61779EBEEA300F75A555F3F2AB61BFA79204593D3A84F2BE41945A3E82472002F876A3BAC845BADAB871897754C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v.j.2..Q2..Q2..Q;.Q$..Q...P8..Q...P>..Q...P+..Q...P6..Q...P0..Qi..P3..Qi..P?..Q2..Q^..Q...P"..Q...P[..Q...P3..Q...Q3..Q2..Q3..Q...P3..QRich2..Q................PE..L....kP_...........!......6...$.......6.......6...............................[.......Z...@.........................P.=.."...PV.h.....X..............dZ.x.....X..:....<.T...................|.<......<.@.............6..............................text.....6.......6................. ..`.rdata...N ...6..P ...6.............@..@.data....r...@W......0W.............@....rsrc.........X......"X.............@..@.reloc...:....X..<...(X.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-CTDA2.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11208
                                                                                                                                                        Entropy (8bit):6.914984712440467
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:UC/b2WYhWIWWFYg7VWQ4eW5AZa8p2kacqnajYhx:UC/b2WYhWoY8pUclMH
                                                                                                                                                        MD5:B181124928D8EB7B6CAA0C2C759155CB
                                                                                                                                                        SHA1:1AADBBD43EFF2DF7BAB51C6F3BDA2EB2623B281A
                                                                                                                                                        SHA-256:24EA638DFA9F40E2F395E26E36D308DB2AB25ED1BAA5C796AC2C560AD4C89D77
                                                                                                                                                        SHA-512:2A43BF4D50D47924374CDE689BE24799C4E1C132C0BC981F5109952D3322E91DD5A9352B53BB55CA79A6EA92E2C387E87C064B9D8C8F519B77FFF973D752DC8F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@................8...T...T...................d...........................$...........RSDS.0.O..}_.1..j~n....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ....0.O..}_.1..j~n...D....................................................H...t...............'...S...................A...k...................C...l...............6...U.............................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-D2OAP.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1168840
                                                                                                                                                        Entropy (8bit):6.796126828525289
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:tCjjeiNFnAp+O+R2l2WDPc/9qHrX0cJ/gAp0ei5mcvIZPoy4aVvFjDp:4jyuRR2l2WD6I/bp0erVL
                                                                                                                                                        MD5:2040CDCD779BBEBAD36D36035C675D99
                                                                                                                                                        SHA1:918BC19F55E656F6D6B1E4713604483EB997EA15
                                                                                                                                                        SHA-256:2AD9A105A9CAA24F41E7B1A6F303C07E6FAECEAF3AAF43EBD644D9D5746A4359
                                                                                                                                                        SHA-512:83DC3C7E35F0F83E1224505D04CDBAEE12B7EA37A2C3367CB4FCCC4FFF3E5923CF8A79DD513C33A667D8231B1CC6CFB1E33F957D92E195892060A22F53C7532F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>2._\.._\.._\..'.._\.._].)_\..7..._\..7\.._\..7_.._\..7Y.._\..7R..]\..7X.._\..7..._\..7^.._\.Rich._\.................PE..L.....t...........!......................................................................@A................................p........0...................!...@..T...P...T...........................p...@...............l............................text...p........................... ..`.data...$...........................@....idata..............................@..@.rsrc........0......................@..@.reloc..T....@......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-E29SC.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):539160
                                                                                                                                                        Entropy (8bit):5.767679498376213
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:PksKJlXTd8oLjM54JNv63wwSh3PXU2lvzXv6OV:7IlXp8q230hfXU2lvz/6OV
                                                                                                                                                        MD5:E8B31242BADE80571DE091E389ABCF2B
                                                                                                                                                        SHA1:95CF1683CEBC7EAEE9FCDBA35394FE163F584DB3
                                                                                                                                                        SHA-256:C6ECE484FD7FC0E7FD1BC17B2A1218F0D6E24DDB7F35FBBC0FBFEC0923EE6B45
                                                                                                                                                        SHA-512:0D9D289C007D03E3CB9FB38EBE61E94534432C427B323300066EFA27E0DAB86B18F86C4576F26A15C159131C89790040DEBE1D8635B742E0344D01BF2CEFAC18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^Y...8.K.8.K.8.K.@uK.8.KHP.J.8.K.^.J.8.KHP.J.8.KHP.J.8.KHP.J.8.K.Q.J.8.K.8.K.9.K.Q.J68.K.Q.J.8.K.Q.K.8.K.Q.J.8.KRich.8.K........................PE..L....0k_...........!.........................................................`.......b....@..............................N..............s................ ... ...5......8...............................@............................................text...L........................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..[A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..2=... ...>..................@..B........................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-E2EPR.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):29308848
                                                                                                                                                        Entropy (8bit):6.429221480087082
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:393216:2KMiAG0wPidFOhuTFx0IkcUZ33uk+aEIPtD:2kzidFOSxat3uk+and
                                                                                                                                                        MD5:4C58277BCB810B7B7F07BAAAF0C4D409
                                                                                                                                                        SHA1:A64EC7B797FDABFA81EE71502C6462AFD836FFDD
                                                                                                                                                        SHA-256:26309184E7986C384AE0BECB6916240E71E139DD2FB1A031D3263B79652B1B7A
                                                                                                                                                        SHA-512:FC973BDF9778CEDB565445FBABDECFA880F6C8218C3F5279CC1F9BC400695828372F7489ED4CB9D404BC945DBF7F14964F6C0A977A4F1EB380E63CB6A8EDD1D6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........3;'.RUt.RUt.RUtC.t.RUtC.t7RUtC.t.RUt..Pu.RUt..Vu.RUt..Pu.RUt..Qu.RUt`.Qu.SUt*..t.RUt*..t.RUt.RTt.SUt`.PuLVUt`.Uu.RUte..t.RUt.R.t.RUt`.Wu.RUtRich.RUt........PE..L...,?.Y...........!.....68..`......kF.......P8.....................................}....@.........................p.j.`....j......@............... .......P..T.+.`.^.T.....................^.......^.@............P8..............................text...M58......68................. ..`.rdata..FG2..P8..H2..:8.............@..@.data....i)...j...(...j.............@....gfids..0............r..............@..@.tls......... .......v..............@..._RDATA..0....0.......x..............@..@.rsrc........@.......z..............@..@.reloc..T.+..P....+.................@..B................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-EF39E.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11416
                                                                                                                                                        Entropy (8bit):6.815621198462554
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:KdWYhWJWWFYg7VWQ4WWeRkJqnajgrTZutRnPZA9S:KdWYhWHsJl0huHnPZA9S
                                                                                                                                                        MD5:CD3CEC3D65AE62FDF044F720245F29C0
                                                                                                                                                        SHA1:C4643779A0F0F377323503F2DB8D2E4D74C738CA
                                                                                                                                                        SHA-256:676A6DA661E0C02E72BEA510F5A48CAE71FDC4DA0B1B089C24BFF87651EC0141
                                                                                                                                                        SHA-512:ACA1029497C5A9D26EE09810639278EB17B8FD11B15C9017C8B578FCED29CEF56F172750C4CC2B0D1EBF8683D29E15DE52A6951FB23D78712E31DDCB41776B0F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....ARo...........!......................... ...............................0......@$....@......................... ...L............ ..................."..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@.....ARo........8...T...T........ARo........d................ARo........$...........RSDS...+A<...s.O.....api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg... ...L....edata... ..`....rsrc$01....` .......rsrc$02.... ......+A<...s.O.&...x)=.ro2.ARo.................ARo....p...............H...X...h...............B...............!...........api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolu

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-EQQK5.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):971064
                                                                                                                                                        Entropy (8bit):6.965132668528083
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:wmFyjHVMxBuwQLYucGp4iiqgNb3HoIbiIw:2My2yRgFoIbnw
                                                                                                                                                        MD5:2FB20C782C237F8B23DF112326048479
                                                                                                                                                        SHA1:B2D5A8B5C0FD735038267914B5080AAB57B78243
                                                                                                                                                        SHA-256:E0305AA54823E6F39D847F8B651B7BD08C085F1DBBCB5C3C1CE1942C0FA1E9FA
                                                                                                                                                        SHA-512:4C1A67DA2A56BC910436F9E339203D939F0BF854B589E26D3F4086277F2BEC3DFCE8B1F60193418C2544EF0C55713C90F6997DF2BFB43F1429F3D00BA46B39B0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0iP.^:P.^:P.^:..:S.^:P._:..^:]L.:..^:]L.:1.^:]L.:f.^:]L.:..^:]L.:Q.^:]L.:Q.^:]L.:Q.^:RichP.^:........PE..L.....~W.........."!.....................................................................@.........................`........R..(....p..................8?......D]......8...............................@............P...............................text...y........................... ..`.data...<e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..D].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-F9SRF.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2529816
                                                                                                                                                        Entropy (8bit):6.2349774154874025
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:nS+Pyrz6zwISvMezG5886F1CPwDv3uFfJPPyEii/:S+PypIJezD8K1CPwDv3uFfJZ
                                                                                                                                                        MD5:9B0C4FA8171D2EE4BBD0D46EC70184A0
                                                                                                                                                        SHA1:E5A1A605F14FA0260038862CB02DD80BA43CCAB1
                                                                                                                                                        SHA-256:F9127F8E9D2E498699007E9A5C7FBF2FD7FC5EADD58B1924EB08242E573E2A95
                                                                                                                                                        SHA-512:A1BCA8ED34839124C0ABC7D33F1CECDB5342BAB8F34767EAAA74FFA17022C7FF60A25DA93FDC462A476A8A8571669B746088D85600DE5124DF04D552B26650C6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C...".}.".}.".}.ZI}.".}.J.|.".}.J.|.".}.J.|.".}.J.|.".}.D.|.".}.".}L".}.".}.".}MK.|. .}MK.|.".}MK%}.".}MK.|.".}Rich.".}................PE..L....0k_...........!.....J...p......;H.......`................................'.....`X'...@..........................."..h..d.%.@.....&.|............z&.. ....&.$...@.".8...........................x.".@.............%.d............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data....Y...p%......P%.............@....idata........%......f%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-FEC93.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21376
                                                                                                                                                        Entropy (8bit):6.486713548287172
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:2k0HTiHQYmjfFKyaWcw5gWUsadHRN7ya/hl3KS0nyGqU:H2iF0FK4VoySIyRU
                                                                                                                                                        MD5:56F86F08DE73C981031224CDE928DFA8
                                                                                                                                                        SHA1:C009AA8D145276ED5D1FC21F83BF004594B9793F
                                                                                                                                                        SHA-256:8906D59ED097E7B857DD19A5323CB0EAB006AF7D1F20EE233C4C86645C7F3A0B
                                                                                                                                                        SHA-512:6BCF58A60435A90ABC06334FBAE1507015F793760027F75F6696023AF2A88517DC31B87A86984A0B877384BEA73BC444A92293790FDA3420D36CFC0736E4195E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...%..%..%.8i...%....%.2.!..%.2.&..%..$..%.2.$..%.2. ..%.2.%..%.2....%.2.'..%.Rich..%.........................PE..L....m_.........."!................p........0...............................p.......)....@A.........................*..J....@..x....P...............0...#...`..p...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..p....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-G9D6N.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):15808
                                                                                                                                                        Entropy (8bit):6.594537759210963
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:nJB0fhrpIhhf4AN5/jiTWYhWjWWFYg7VWQ4uWT67dEO8p2kacqnajYvxfyfA:n0hrKIWYhWR/7F8pUclMJfz
                                                                                                                                                        MD5:4F06DA894EA013A5E18B8B84A9836D5A
                                                                                                                                                        SHA1:40CF36E07B738AA8BBA58BC5587643326FF412A9
                                                                                                                                                        SHA-256:876BD768C8605056579DD8962E2FD7CC96306FAB5759D904E8A24E46C25BD732
                                                                                                                                                        SHA-512:1D7C0682D343416E6942547E6A449BE4654158D6A70D78AD3C7E8C2B39C296C9406013A3CFE84D1AE8608F19BEE1D4F346D26576D7ED56456EEA39D5D7200F79
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....2.O...........!.........................0...............................@......X.....@.........................0................0...................!..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................2.O........:...d...d........2.O........d................2.O........$...........RSDS.:.....1../..$.*....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ....:.....1../..$.*j`Y..+J......2.O.............2.O............k...k...X...........................6...T...s.......................>...e.......................+...I...n.......................F...e...................&...G...d...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-GIDFB.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6190104
                                                                                                                                                        Entropy (8bit):7.421682960763955
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:MK+/ifzrm29tZTwpN9EVbjl4ece6GMUdaVelHxzINC75Z:X+/ibrm29tZFVvl48DueJO475Z
                                                                                                                                                        MD5:74E2784C899F1D77D6679A03D60A3D64
                                                                                                                                                        SHA1:FF43817A59C7A6964DCC8F9DB2B9A16E1FE58C3C
                                                                                                                                                        SHA-256:A9E1AF2711021486E6BCD3B6520072BC71EC8DF0D63336421286E2C4F3DB7EA8
                                                                                                                                                        SHA-512:E745DD67367588CAAE9B75919DCD370AA26647CDB172C2A0C26A709367D6E526214C7787AAA2BC317FFE6C99BB04C6117E142787A7CE936AD391F21417AF1832
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L..._4.V..................3..r*.......3.......3...@...........................^.....g.^...............................6......6.l#....:...$..........T^.. ...p7.......................................................6.t.....6.\....................text.....3.......3................. ..`.itext.. .....3.......3............. ..`.data...\?....3..@....3.............@....bss....PU...06......"6..................idata..l#....6..$..."6.............@....didata.\.....6......F6.............@....edata.......6......J6.............@..@.reloc.......p7.......6.............@..B.rsrc.....$...:...$..t9.............@..@..............^......T^.............@..@................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-GS8SF.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):971064
                                                                                                                                                        Entropy (8bit):6.965132668528083
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:wmFyjHVMxBuwQLYucGp4iiqgNb3HoIbiIw:2My2yRgFoIbnw
                                                                                                                                                        MD5:2FB20C782C237F8B23DF112326048479
                                                                                                                                                        SHA1:B2D5A8B5C0FD735038267914B5080AAB57B78243
                                                                                                                                                        SHA-256:E0305AA54823E6F39D847F8B651B7BD08C085F1DBBCB5C3C1CE1942C0FA1E9FA
                                                                                                                                                        SHA-512:4C1A67DA2A56BC910436F9E339203D939F0BF854B589E26D3F4086277F2BEC3DFCE8B1F60193418C2544EF0C55713C90F6997DF2BFB43F1429F3D00BA46B39B0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0iP.^:P.^:P.^:..:S.^:P._:..^:]L.:..^:]L.:1.^:]L.:f.^:]L.:..^:]L.:Q.^:]L.:Q.^:]L.:Q.^:RichP.^:........PE..L.....~W.........."!.....................................................................@.........................`........R..(....p..................8?......D]......8...............................@............P...............................text...y........................... ..`.data...<e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..D].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-H2HIE.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4483704
                                                                                                                                                        Entropy (8bit):6.835994551598057
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:LNYrZPyqlHjgvBDFx+jnn1nSQnCKWnDcxcYd/IAm4:ClqDFx+YxK7mY9IAm4
                                                                                                                                                        MD5:FE4E5ED83642E0DD84BB41450D020AF6
                                                                                                                                                        SHA1:275601E50EECB6C7E19D9DD4DDBE6E23FAA92650
                                                                                                                                                        SHA-256:BAA679FBB6B375EA4F9A2C536E8CC750CDF25946379DCED876D2A855DDAA838C
                                                                                                                                                        SHA-512:B29E60FF24684A969B61357AADC3D8A5614521CC77FE52016F886FD8B40F13F2B8F8B34CD9888D3C972642A06A6B94C29A193D7AB09A8285277F414DF96F5D18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................I........................................F...........F..a..F.....F.%......M....F.....Rich...........................PE..L...KlP_...........!.....X+..........Z+......p+....e..........................D......D...@...........................6..'....>.T.....A..............TD.x.....A.......5.T...................|.5.......5.@............p+../...........................text...:W+......X+................. ..`.rdata.......p+......\+.............@..@.data........@A..j..."A.............@....rsrc.........A.......A.............@..@.reloc........A.......A.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-HDI2E.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5377144
                                                                                                                                                        Entropy (8bit):6.853679063871745
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:eLlOKYcFr4K9pJsv6tWKFdu9CjvpzjgwWe:eLDrlJsv6tWKFdu9CjRvFWe
                                                                                                                                                        MD5:316FB94DA47EAC5933F3007A8CCA4356
                                                                                                                                                        SHA1:4C17A1A8E21940066BCBB5A0F09F6DA9C26039DA
                                                                                                                                                        SHA-256:0DED0E1CDB33B58CCB8FA20837EBFA9D17A9737BCEB078D0D16F3EF4AC349C5D
                                                                                                                                                        SHA-512:B791A9DC14CB852344D33A7F0DFA5C3C7AC54E50B888024E6795A9FF5372B8554E464C9AF9280289652981B58723C9E4BC72C514D3C346CD020998F67AB84D95
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........A.mC o>C o>C o>JX.>W o>.Mn?E o>..>G o>.Mj?^ o>.Mk?I o>.Ml?N o>.Hk?A o>.Hi?B o>.Hn?T o>C n>.!o>.Nk?n o>.Nj?. o>.No?B o>.N.>B o>C .>B o>.Nm?B o>RichC o>................PE..L...gkP_...........!......(...).......&.......(....g..........................R......ER...@......................... .C.H...h.K.......P...............Q.x.....P.....peA.T...................lfA......eA.@.............(..............................text...'.(.......(................. ..`.rdata..*i"...(..j"...(.............@..@.data.......@K..J...,K.............@....qtmimed......K......vK.............@..P.rsrc.........P......dP.............@..@.reloc........P......jP.............@..B........................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-HINO1.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.761525250479804
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:CKNMWYhWtWWFYg7VWQ4eWSwRrHN8xqnajFW:CKNMWYhWrYHMlZW
                                                                                                                                                        MD5:0979785E3EF8137CDD47C797ADCB96E3
                                                                                                                                                        SHA1:4051C6EB37A4C0DBA47B58301E63DF76BFF347DD
                                                                                                                                                        SHA-256:D5164AECDE4523FFA2DCFD0315B49428AC220013132AD48422A8EA4CA2361257
                                                                                                                                                        SHA-512:E369BC53BABD327F5D1B9833C0B8D6C7E121072AD81D4BA1FB3E2679F161FB6A9FA2FCA0DF0BAC532FD439BEB0D754583582D1DBFECCF2D38CC4F3BDCA39B52D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....][...........!......................... ...............................0............@.........................0..."............ ...................!..............T............................................................................text...R........................... ..`.rsrc........ ......................@..@v.....................][........>...d...d.........][........d.................][........$...........RSDS.,.A..\...R..=v....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0..."....edata... ..`....rsrc$01....` .......rsrc$02.... ....,.A..\...R..=v....N..{?M8d..][..........][....................X...........?...c...........................7...S...o.......................'...@...2...U...z...........................I...f....................... ...7...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-HQS0M.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):157208
                                                                                                                                                        Entropy (8bit):6.1934682249941115
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:zKEv+wyTqNr2Z+7UXkvrZexxuF0tBzwuXh47ht0OiJPex01d54aJ:zPv+5qB2ZwKkvrmu6tJ16lg1dRJ
                                                                                                                                                        MD5:D4DB02A96B703FDBFAD4443AB8FA504F
                                                                                                                                                        SHA1:39AD32AE327789C62FD32FCB6C1F4471F1DCE47F
                                                                                                                                                        SHA-256:21171F394862D2342F5AF507A54655B454F510D0B8800E6A4929829EB28F830E
                                                                                                                                                        SHA-512:D5FCB52ACE86D863B822E06070CF34577BC15BA19CB9CFB2D4C1C16705521E779B8B42ECD2EC9E783B06B2A89C92C259015D88E255FCFBCF19D78D2F276B4009
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a[.v...v...v...'...v...'...v...'...v...'...v.......v...v..pv...$...v...$...v...$...v...v...v...$...v..Rich.v..........PE..L.....U...........!.........h......n........................................p.......O....@..........................(..q....+.......P...............F... ...`..........8...........................8...@............................................text............................... ..`.rdata..hJ.......L..................@..@.data...0....@......................@....rsrc........P.......0..............@..@.reloc.......`.......8..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-HUMQ2.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):951808
                                                                                                                                                        Entropy (8bit):6.595786024423779
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:j3Qot4CtMnlVl8OsmVEpAymT3cVPjeDzh2A2I5fZBTQgsPfU:ko3twVl8OsmVp3cBCDzhn2I5fHTQfU
                                                                                                                                                        MD5:2829AB15FFF44C84D319274AB61BC4DD
                                                                                                                                                        SHA1:F825F839E0EB35077BE24C2692B42C31B4541411
                                                                                                                                                        SHA-256:A8F3DC44C4DE1D96A1C4491686F54E1931387DF800653BE71458BA11863A00C4
                                                                                                                                                        SHA-512:B689D95FE217307736E0240F3F919646F69E953D007EA89B71207A149F8F5D4710307C1D248F755E40A564ADA49DE9E1FDD926984F45CE2F6E4C872DBCA8EB1A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=8..yY..yY..yY..?.Y.pY..?.f.lY..?.[.}Y..?.g.uY..p!..xY..yY...X..p!..fY..t.b..Y..t.g.mY..t.].xY..yY..xY..t.X.xY..RichyY..........PE..L.....U..........................................@.......................................@..................................|..h.......(....................`...W......8...............................@...............h............................text............................... ..`.rdata..$...........................@..@.data...............................@....rsrc...(...........................@..@.reloc...W...`...X..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-I5AN5.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21960
                                                                                                                                                        Entropy (8bit):6.271316004393454
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:nt1MCbM4Oe5grykfIgTmLSWYhWZjMlZi:t6gMq5grxfInsYL
                                                                                                                                                        MD5:461D5AF3277EFB5F000B9DF826581B80
                                                                                                                                                        SHA1:935B00C88C2065F98746E2B4353D4369216F1812
                                                                                                                                                        SHA-256:F9CE464B89DD8EA1D5E0B852369FE3A8322B4B9860E5AE401C9A3B797AED17BF
                                                                                                                                                        SHA-512:229BF31A1DE1E84CF238A0DFE0C3A13FEE86DA94D611FBC8FDB65086DEE6A8B1A6BA37C44C5826C3D8CFA120D0FBA9E690D31C5B4E73F98C8362B98BE1EE9600
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....T.>...........!.........................@...............................P............@.........................0....+...........@...............4...!..............T............................................................................text....-.......................... ..`.rsrc........@.......0..............@..@v....................T.>........7...d...d........T.>........d................T.>........$...........RSDS....1...9......E....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0....+...edata...@..`....rsrc$01....`@.......rsrc$02.... .......1...9......E...s.......T.>.................T.>............:...:...X...@...(...................(...@...X...p...............................2...K...d...}.................... ... ..A ..m ... ... ... ...!..J!..u!...!...!...!..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-I5I15.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):17352
                                                                                                                                                        Entropy (8bit):6.499657236461651
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:exUO+1pPLNPjFuWYFxEpahTWYhWWWWFYg7VWQ4eWNuvwN8xqnajFD:exUX119OFVhTWYhW2bwMlZ
                                                                                                                                                        MD5:5765103E1F5412C43295BD752CCAEA03
                                                                                                                                                        SHA1:6913BF1624599E55680A0292E22C89CAB559DB81
                                                                                                                                                        SHA-256:8F7ACE43040FA86E972CC74649D3E643D21E4CAD6CB86BA78D4C059ED35D95E4
                                                                                                                                                        SHA-512:5844AC30BC73B7FFBA75016ABEFB8A339E2F2822FC6E1441F33F70B6EB7114F828167DFC34527B0FB5460768C4DE7250C655BC56EFD8BA03115CD2DD6F6C91C0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...I.o?...........!.........................0...............................@......O.....@.........................0...a............0..............."...!..............T............................................................................text............................... ..`.rsrc........0......................@..@v...................I.o?........8...d...d.......I.o?........d...............I.o?........$...........RSDS.../L...{;[3.m5.....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg...0...a....edata...0..`....rsrc$01....`0.......rsrc$02.... ....../L...{;[3.m5.4.W.6.......I.o?................I.o?....................X.......P...............1...l...............Y...............P...............?...x...........0...Y...t...............................;...^...................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-IKESB.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):76152
                                                                                                                                                        Entropy (8bit):6.779355547596994
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:igTqURG2vo0RwvI7sjBH+cOKXc36r23vEecbiOkNAPy:idURhvZ6vIQVrPysecbiOkKy
                                                                                                                                                        MD5:9E532403774906F0D1E3179D8840674D
                                                                                                                                                        SHA1:DAC4A653D468F873D5F5533E0C91C93FE5BE1E5B
                                                                                                                                                        SHA-256:E30380FB3301B114F4DD4D09A83C8F2B1C0D6885412065F0D163B0FB342D86C0
                                                                                                                                                        SHA-512:9DED622AD9101EBBD7C4447B11FB1AAFA4DDA47BEE76585A6090B2D756D721AD59CF8B6B3D1B40945FDFA27C9C409283BAA5A0D435B1F351AE4BE9675B577706
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ix..-...-...-....|./...$a..&...-.......h..>...h..8...h..1...h..,...hl.,...h..,...Rich-...................PE..L....m_.........."!.........................................................@............@A......................................... ..................x#...0..x....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-IQ6N1.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):539160
                                                                                                                                                        Entropy (8bit):5.767679498376213
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:PksKJlXTd8oLjM54JNv63wwSh3PXU2lvzXv6OV:7IlXp8q230hfXU2lvz/6OV
                                                                                                                                                        MD5:E8B31242BADE80571DE091E389ABCF2B
                                                                                                                                                        SHA1:95CF1683CEBC7EAEE9FCDBA35394FE163F584DB3
                                                                                                                                                        SHA-256:C6ECE484FD7FC0E7FD1BC17B2A1218F0D6E24DDB7F35FBBC0FBFEC0923EE6B45
                                                                                                                                                        SHA-512:0D9D289C007D03E3CB9FB38EBE61E94534432C427B323300066EFA27E0DAB86B18F86C4576F26A15C159131C89790040DEBE1D8635B742E0344D01BF2CEFAC18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^Y...8.K.8.K.8.K.@uK.8.KHP.J.8.K.^.J.8.KHP.J.8.KHP.J.8.KHP.J.8.K.Q.J.8.K.8.K.9.K.Q.J68.K.Q.J.8.K.Q.K.8.K.Q.J.8.KRich.8.K........................PE..L....0k_...........!.........................................................`.......b....@..............................N..............s................ ... ...5......8...............................@............................................text...L........................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..[A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..2=... ...>..................@..B........................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-IQNAL.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.869160264874051
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:iWYhWFGWWFYg7VWQ4eWd3BSB8p2kacqnajYu4x:iWYhWkWxSB8pUclMuY
                                                                                                                                                        MD5:50B721A0C945ABE3EDCA6BCEE2A70C6C
                                                                                                                                                        SHA1:F35B3157818D4A5AF3486B5E2E70BB510AC05EFF
                                                                                                                                                        SHA-256:DB495C7C4AD2072D09B2D4506B3A50F04487AD8B27D656685EA3FA5D9653A21D
                                                                                                                                                        SHA-512:EF2F6D28D01A5BAD7C494851077D52F22A11514548C287E513F4820C23F90020A0032E2DA16CC170AE80897AE45FC82BFFC9D18AFB2AE1A7B1DA6EEF56240840
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....JI...........!......................... ...............................0......'4....@.........................0...e............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v.....................JI........9...d...d.........JI........d.................JI........$...........RSDS$.,...E.b..,...g....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0...e....edata... ..`....rsrc$01....` .......rsrc$02.... ...$.,...E.b..,...g.>]......S....JI..............JI.... ...............X...........U..............."...e...................D...n.......................D...d.......A...r...............@...................7...Z...................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-JCBAO.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1309248
                                                                                                                                                        Entropy (8bit):6.527529456231143
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:8tdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5xax0vTx96e7C:kqTytRFk6ek1x3O
                                                                                                                                                        MD5:4BE9718959029220FC534542CB891006
                                                                                                                                                        SHA1:B205217CEAC2E6F583B250EBC55106001F59EB87
                                                                                                                                                        SHA-256:DB8B0C53B3CF466F055325513273671773A138BCAE59B84E4C78DC7DEE393452
                                                                                                                                                        SHA-512:B21A946BC700988773BE610787B4C4D26F994369742D0293AC74457CFEEE727D7B8F7B7101C8A36C62488B32A1E4D0F85349F8F16A74100D530BE8534FF5658B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................6.....@......@..............................@8...0...\..............@0................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc....\...0...^...l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-JCCI9.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):453312
                                                                                                                                                        Entropy (8bit):6.654147150103626
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:J7kdHIZ63+flb/ExW7PWNLhKj5oKHW/Q13O3PL6v6j5qts3nSIOWuEJH9Mz:G+6OflDfWN8NoKy43O3PL6yMqQ6m
                                                                                                                                                        MD5:03CBD3D314E8666079A20909D269B80C
                                                                                                                                                        SHA1:20A0EB6B35853A73C57467727100F1D3E607472E
                                                                                                                                                        SHA-256:A482A64296D6075282114CA764B7D14812D338D1CE56475610BA43CAD41C27AE
                                                                                                                                                        SHA-512:67BB82CB2E5ADC140E796897C76BA527B466F41B9D5406A9C93EF777D9F05F8F531A6AD6A6F0716E91D8D6D3E15BBD4EAB21A88B587D83152910F512DF5C7266
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.{F0.(F0.(F0.(OH.(T0.(.E.)D0.( _|(A0.(.E.)J0.(.E.)L0.(.E.)A0.(F0.(.0.(.H.)I0.(.E.).0.(.E.)G0.(.E~(G0.(.E.)G0.(RichF0.(................PE..L......c...........!.....X...j......o].......p.......................................Z....@......................... ].......f..h.......(................*.......>...Y..............................(Y..@............p..P............................text...?V.......X.................. ..`.rdata..h....p.......\..............@..@.data................d..............@....rsrc...(............z..............@..@.reloc...>.......@..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-JO2A2.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4483704
                                                                                                                                                        Entropy (8bit):6.835994551598057
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:LNYrZPyqlHjgvBDFx+jnn1nSQnCKWnDcxcYd/IAm4:ClqDFx+YxK7mY9IAm4
                                                                                                                                                        MD5:FE4E5ED83642E0DD84BB41450D020AF6
                                                                                                                                                        SHA1:275601E50EECB6C7E19D9DD4DDBE6E23FAA92650
                                                                                                                                                        SHA-256:BAA679FBB6B375EA4F9A2C536E8CC750CDF25946379DCED876D2A855DDAA838C
                                                                                                                                                        SHA-512:B29E60FF24684A969B61357AADC3D8A5614521CC77FE52016F886FD8B40F13F2B8F8B34CD9888D3C972642A06A6B94C29A193D7AB09A8285277F414DF96F5D18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................I........................................F...........F..a..F.....F.%......M....F.....Rich...........................PE..L...KlP_...........!.....X+..........Z+......p+....e..........................D......D...@...........................6..'....>.T.....A..............TD.x.....A.......5.T...................|.5.......5.@............p+../...........................text...:W+......X+................. ..`.rdata.......p+......\+.............@..@.data........@A..j..."A.............@....rsrc.........A.......A.............@..@.reloc........A.......A.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-K28TK.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5929592
                                                                                                                                                        Entropy (8bit):6.794857574868927
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:7XWX+slNUrE5ZiXVSTsxkHDl3HHx4oRZ0ggBEFslA6A5ORbkVIa+r8ZJU/tNN4gG:752gcsxUl3HN0VUVCr8Ib6mLV9+
                                                                                                                                                        MD5:253C8B17A1476DC182C31B75E98B6A0E
                                                                                                                                                        SHA1:49A511A017EE77FFAC72AF8B007C67C9F6637D53
                                                                                                                                                        SHA-256:55B26B1236A79A6985DC9B6114DD227F5DFF06D6932223DDA02D9ED95968B779
                                                                                                                                                        SHA-512:A5110FDB18DA6D87641B0299EA947F149030B61779EBEEA300F75A555F3F2AB61BFA79204593D3A84F2BE41945A3E82472002F876A3BAC845BADAB871897754C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v.j.2..Q2..Q2..Q;.Q$..Q...P8..Q...P>..Q...P+..Q...P6..Q...P0..Qi..P3..Qi..P?..Q2..Q^..Q...P"..Q...P[..Q...P3..Q...Q3..Q2..Q3..Q...P3..QRich2..Q................PE..L....kP_...........!......6...$.......6.......6...............................[.......Z...@.........................P.=.."...PV.h.....X..............dZ.x.....X..:....<.T...................|.<......<.@.............6..............................text.....6.......6................. ..`.rdata...N ...6..P ...6.............@..@.data....r...@W......0W.............@....rsrc.........X......"X.............@..@.reloc...:....X..<...(X.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-KBLEA.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):454968
                                                                                                                                                        Entropy (8bit):6.702123748477664
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:/VHbDqy90l5yQBggQerfhUgiW6QR7t5ss3Ooc8DHkC2ehSxPA:tbOqQbnrMs3Ooc8DHkC2ehSxo
                                                                                                                                                        MD5:A883C95684EFF25E71C3B644912C73A5
                                                                                                                                                        SHA1:3F541023690680D002A22F64153EA4E000E5561B
                                                                                                                                                        SHA-256:D672FB07A05FB53CC821DA0FDE823FDFD46071854FE8C6C5EA83D7450B978ECB
                                                                                                                                                        SHA-512:5A47C138D50690828303B1A01B28E6EF67CFE48215D16ED8A70F2BC8DBB4A73A42C37D02CCAE416DC5BD12B7ED14FF692369BC294259B46DBF02DC1073F0CB52
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I..'U.'U.'U.h.U.'U.&U..'U...U.'U...U.'U...U..'U...U..'U...U.'U...U.'U...U.'U...U.'URich.'U................PE..L.../.~W.........."!.........................0............................................@..........................W..L...@...<.......................8?.......D...................................K..@...............@............................text............................... ..`.data....^...0...0..................@....idata...............N..............@..@.rsrc................h..............@..@.reloc...D.......F...l..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-LCLTR.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):264312
                                                                                                                                                        Entropy (8bit):6.715338352324104
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:dO73uRNCsNic+peLSWOvY0VdWOEDuFcXxwIpunEJr2ty+yUIEDvwrPmaiK+iA0c8:dOsB+peLNMLEDukunEJr2tyRrPTf
                                                                                                                                                        MD5:2974485E58533B9BFC4061E11C0174C7
                                                                                                                                                        SHA1:9A8E9CDEC284B865C76CCA129E7BD44885BABB55
                                                                                                                                                        SHA-256:CD1950F423381E5654EB92E5A77EE19AA6E0212FC3729D5710A9EDF57746C2B0
                                                                                                                                                        SHA-512:CE0EF433D7E8D52EC513725327A7A8DCACAE831704CCD4F2B9B243431A408DE40ABFA846D0BBDBBBDF70B6294439392BD8F4723D465E324A4BBF272727E5B43D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D.h.D.h.D.h.M...B.h...i.F.h...i.F.h...m.Q.h...l.N.h...k.G.h..i.C.h.D.i...h..m.I.h..h.E.h....E.h.D...E.h..j.E.h.RichD.h.................PE..L...d.P_...........!.....^..........4f.......p.....f.........................0.......a....@.............................@}..0?..........................x........0......T...........................X...@............p..H............................text....].......^.................. ..`.rdata...M...p...N...b..............@..@.data...D...........................@....rsrc...............................@..@.reloc...0.......2..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-M2DS0.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):12232
                                                                                                                                                        Entropy (8bit):6.72993280581241
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:h7aY17aFBRAWYhW4WWFYg7VWQ4eW1R7N8xqnajFzL:J9WYhWYy7MlZ
                                                                                                                                                        MD5:A6A9DFB31BE2510F6DBFEDD476C6D15A
                                                                                                                                                        SHA1:CDB6D8BD1FBD1C71D85437CFF55DDEB76139DBE7
                                                                                                                                                        SHA-256:150D32B77B2D7F49C8D4F44B64A90D7A0F9DF0874A80FC925DAF298B038A8E4C
                                                                                                                                                        SHA-512:B4F0E8FA148FAC8A94E04BF4B44F2A26221D943CC399E7F48745ED46E8B58C52D9126110CDF868EBB723423FB0E304983D24FE6608D3757A43AD741BDDB3B7EC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.................!......................... ...............................0......(.....@.........................0................ ...................!..............T............................................................................text...F........................... ..`.rsrc........ ......................@..@v..............................7...d...d..................d..........................$...........RSDSa;PZ.1......."......api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ...a;PZ.1......."..f.p.r.7....C..........................f...............X.......0...................I...................'...E...a...........................@...l...........................5...................1...j...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-M4EGV.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2529816
                                                                                                                                                        Entropy (8bit):6.2349774154874025
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:nS+Pyrz6zwISvMezG5886F1CPwDv3uFfJPPyEii/:S+PypIJezD8K1CPwDv3uFfJZ
                                                                                                                                                        MD5:9B0C4FA8171D2EE4BBD0D46EC70184A0
                                                                                                                                                        SHA1:E5A1A605F14FA0260038862CB02DD80BA43CCAB1
                                                                                                                                                        SHA-256:F9127F8E9D2E498699007E9A5C7FBF2FD7FC5EADD58B1924EB08242E573E2A95
                                                                                                                                                        SHA-512:A1BCA8ED34839124C0ABC7D33F1CECDB5342BAB8F34767EAAA74FFA17022C7FF60A25DA93FDC462A476A8A8571669B746088D85600DE5124DF04D552B26650C6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C...".}.".}.".}.ZI}.".}.J.|.".}.J.|.".}.J.|.".}.J.|.".}.D.|.".}.".}L".}.".}.".}MK.|. .}MK.|.".}MK%}.".}MK.|.".}Rich.".}................PE..L....0k_...........!.....J...p......;H.......`................................'.....`X'...@..........................."..h..d.%.@.....&.|............z&.. ....&.$...@.".8...........................x.".@.............%.d............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data....Y...p%......P%.............@....idata........%......f%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-MDI6D.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.852501651690859
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:a0I6fHQduPWYhWIWWFYg7VWQ4eW87AEp8p2kacqnajY4xnS:aIf5WYhWosEp8pUclMYnS
                                                                                                                                                        MD5:3DFB82541979A23A9DEB5FD4DCFB6B22
                                                                                                                                                        SHA1:5DA1D02B764917B38FDC34F4B41FB9A599105DD9
                                                                                                                                                        SHA-256:0CD6D0FF0FF5ECF973F545E98B68AC6038DB5494A8990C3B77B8A95B664B6FEB
                                                                                                                                                        SHA-512:F9A20B3D44D39D941FA131C3A1DB37614A2F9B2AF7260981A0F72C69F82A5326901F70A56B5F7AD65862630FCE59B02F650A132EE7ECFE2E4FC80F694483CA82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...d.............!......................... ...............................0......8.....@.........................0...^............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................d..........:...d...d.......d..........d...............d..........$...........RSDS.@.7..o..t.c.A.V....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0...^....edata... ..`....rsrc$01....` .......rsrc$02.... ....@.7..o..t.c.A.V...1.v..{U.d..............d......................X.......H..............."...C...\...u...........................!...8...K...`...{...............................'...>...T...i.......................<...S...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-ME4M5.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1062520
                                                                                                                                                        Entropy (8bit):6.681028028686963
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:BqjkFWDYqDVCDIkRhMq33zROfSRW88W8mg:wcD9TEf1Wo
                                                                                                                                                        MD5:0FD8AD9B5FE25811E9FA9125E791E083
                                                                                                                                                        SHA1:680FDA9F8B4EBEE870C5DEA0E9DFEE0A918E4E5E
                                                                                                                                                        SHA-256:C9A7571426BB7D0F0939DC4D39D22329373FBD0320708EC6B99C0F516FF77D78
                                                                                                                                                        SHA-512:60899B2FD00D7AC3B34639891664F2F280FD32AF1B0ADB2DED09DB87336243BCDCD731F8D30CFFA665A2BCEAC83771622E755EDAA8DDF5889539B66ABB842E8E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........#.t;B.';B.';B.'2:Q'7B.'`*.&:B.'./.&1B.'./.&>B.'./.&"B.'./.&?B.'`*.&5B.'.,.&8B.';B.'.A.'.,.&.B.'.,.&:B.'.,=':B.';BU':B.'.,.&:B.'Rich;B.'........................PE..L....kP_...........!..... ..........<!.......0.....d.........................`......~.....@..........................$...e......T....p............... ..x...........P...T...................L...........@............0..8............................text............ .................. ..`.rdata..L....0.......$..............@..@.data....9...0......."..............@....rsrc........p.......<..............@..@.reloc...............B..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-MJ811.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11712
                                                                                                                                                        Entropy (8bit):6.87820352511638
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:JDQtZ34WYhWVWWFYg7VWQ4uW+Jf8p2kacqnajY2xyU:JDQtZ34WYhWT/f8pUclMqx
                                                                                                                                                        MD5:EB6F7AF7EED6AA9AB03495B62FD3563F
                                                                                                                                                        SHA1:5A60EEBE67ED90F3171970F8339E1404CA1BB311
                                                                                                                                                        SHA-256:148ADEF6A34269E403BB509F9D5260ABE52F413A6C268E8BD9869841D5F2BD02
                                                                                                                                                        SHA-512:A9961212B40EFC12FD1AB3CC6551C97C987E73B6E409C9AB8A5E1B24542F9E5884811F06883BD31D2585219C4F60C30DE2D188788513C01B6CBFE22D539D7875
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...\@,............!......................... ...............................0.......l....@......................... ...v............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\@,.........9...T...T.......\@,.........d...............\@,.........$...........RSDS......4.>{{..S.u....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg... ...v....edata... ..`....rsrc$01....` .......rsrc$02.... .........4.>{{..S.usFA..a...c./\@,.............\@,.....................H...........0...r...............?...w...............F...................D...w.......V...............,...[...............-...h...............0...a...........................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-NIFON.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11720
                                                                                                                                                        Entropy (8bit):6.859698838321107
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:FPWYhW5WWFYg7VWQ4eWxSwPGux5DqnajuyVp:FPWYhW3+Dligp
                                                                                                                                                        MD5:86421619DAD87870E5F3CC0BEB1F7963
                                                                                                                                                        SHA1:2F0FE3EB94FA90577846D49C03C4FD08EF9D3FB2
                                                                                                                                                        SHA-256:64ECCD818F6FFC13F57A2EC5CA358B401FFBB1CA13B0C523D479EF5EE9EB44AB
                                                                                                                                                        SHA-512:DBCE9904DD5A403A5A69E528EE1179CC5FAAB1361715A29B1A0DE0CD33AD3AE9C9D5620DAFB161FDA86CB27909D001BE8955940FD051077FFE6F3FF82357AD31
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....A............!......................... ...............................0............@......................... ...E............ ...................!..............T............................................................................text...e........................... ..`.rsrc........ ......................@..@......A.........<...T...T.........A.........d.................A.........$...........RSDS,..[..e.;:.d.N....api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ...E....edata... ..`....rsrc$01....` .......rsrc$02.... ...,..[..e.;:.d.NG0...g.@)....A...............A.....................H...|...........J...........%...c...............Y...........:.......5...h...........E...............9.........................................api-ms-win-core-timezone-l1-1-

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-NR85U.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):15808
                                                                                                                                                        Entropy (8bit):6.594537759210963
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:nJB0fhrpIhhf4AN5/jiTWYhWjWWFYg7VWQ4uWT67dEO8p2kacqnajYvxfyfA:n0hrKIWYhWR/7F8pUclMJfz
                                                                                                                                                        MD5:4F06DA894EA013A5E18B8B84A9836D5A
                                                                                                                                                        SHA1:40CF36E07B738AA8BBA58BC5587643326FF412A9
                                                                                                                                                        SHA-256:876BD768C8605056579DD8962E2FD7CC96306FAB5759D904E8A24E46C25BD732
                                                                                                                                                        SHA-512:1D7C0682D343416E6942547E6A449BE4654158D6A70D78AD3C7E8C2B39C296C9406013A3CFE84D1AE8608F19BEE1D4F346D26576D7ED56456EEA39D5D7200F79
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....2.O...........!.........................0...............................@......X.....@.........................0................0...................!..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................2.O........:...d...d........2.O........d................2.O........$...........RSDS.:.....1../..$.*....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ....:.....1../..$.*j`Y..+J......2.O.............2.O............k...k...X...........................6...T...s.......................>...e.......................+...I...n.......................F...e...................&...G...d...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-NULG8.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):453312
                                                                                                                                                        Entropy (8bit):6.654147150103626
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:J7kdHIZ63+flb/ExW7PWNLhKj5oKHW/Q13O3PL6v6j5qts3nSIOWuEJH9Mz:G+6OflDfWN8NoKy43O3PL6yMqQ6m
                                                                                                                                                        MD5:03CBD3D314E8666079A20909D269B80C
                                                                                                                                                        SHA1:20A0EB6B35853A73C57467727100F1D3E607472E
                                                                                                                                                        SHA-256:A482A64296D6075282114CA764B7D14812D338D1CE56475610BA43CAD41C27AE
                                                                                                                                                        SHA-512:67BB82CB2E5ADC140E796897C76BA527B466F41B9D5406A9C93EF777D9F05F8F531A6AD6A6F0716E91D8D6D3E15BBD4EAB21A88B587D83152910F512DF5C7266
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.{F0.(F0.(F0.(OH.(T0.(.E.)D0.( _|(A0.(.E.)J0.(.E.)L0.(.E.)A0.(F0.(.0.(.H.)I0.(.E.).0.(.E.)G0.(.E~(G0.(.E.)G0.(RichF0.(................PE..L......c...........!.....X...j......o].......p.......................................Z....@......................... ].......f..h.......(................*.......>...Y..............................(Y..@............p..P............................text...?V.......X.................. ..`.rdata..h....p.......\..............@..@.data................d..............@....rsrc...(............z..............@..@.reloc...>.......@..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-NV1R0.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4369472
                                                                                                                                                        Entropy (8bit):6.59289267077476
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:zpf+AnvqCbjnxmf1O2zdQ93xd7JhvhGS1unYd08gEBk:Vf+6vJbjxmfkd77hGyplC
                                                                                                                                                        MD5:4AF96C036230E02407C613237F8BC9D5
                                                                                                                                                        SHA1:5D5F362E9C1D546368F7FA15C2F443351382DF6C
                                                                                                                                                        SHA-256:422E463DEEE0D63C8C99FEE0C47BBF311377D57E34E57EE72989BC4E98DC1712
                                                                                                                                                        SHA-512:0DACFE172DFEE33EBFE66AFE433B3CB73DEF74AC72179DC4D658B359A191EFEE4C074AE0FF90F2E5A8C6D38FF548507D821948ACAD2535DA8B8CCA185C3FBBFF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........jp&...u...u...u.s.u...u.~.t...u.~.t...u.~.t...u.~.t...u1{.t...uIe.t...uIe.t...uo~.t...uo~.t...u.~.t...u1{.t...u...uk..u.~.t...u.~.t"..u.~.t...u.~.u...u...u...u.~.t...uRich...u................PE..L...G..f.................R%..2.......> ......p%...@...........................B.......C...@.........................pW5.....d\5.0....@:..h...........|B.@0....>......./.T...................@./.....h./.@............p%..1...........................text....Q%......R%................. ..`.rdata...C...p%..D...V%.............@..@.data....q....7..f....7.............@....rsrc....h...@:..j....:.............@..@.reloc........>......j>.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-O4563.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):454968
                                                                                                                                                        Entropy (8bit):6.702123748477664
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:/VHbDqy90l5yQBggQerfhUgiW6QR7t5ss3Ooc8DHkC2ehSxPA:tbOqQbnrMs3Ooc8DHkC2ehSxo
                                                                                                                                                        MD5:A883C95684EFF25E71C3B644912C73A5
                                                                                                                                                        SHA1:3F541023690680D002A22F64153EA4E000E5561B
                                                                                                                                                        SHA-256:D672FB07A05FB53CC821DA0FDE823FDFD46071854FE8C6C5EA83D7450B978ECB
                                                                                                                                                        SHA-512:5A47C138D50690828303B1A01B28E6EF67CFE48215D16ED8A70F2BC8DBB4A73A42C37D02CCAE416DC5BD12B7ED14FF692369BC294259B46DBF02DC1073F0CB52
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I..'U.'U.'U.h.U.'U.&U..'U...U.'U...U.'U...U..'U...U..'U...U.'U...U.'U...U.'U...U.'URich.'U................PE..L.../.~W.........."!.........................0............................................@..........................W..L...@...<.......................8?.......D...................................K..@...............@............................text............................... ..`.data....^...0...0..................@....idata...............N..............@..@.rsrc................h..............@..@.reloc...D.......F...l..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-OE5OD.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):15304
                                                                                                                                                        Entropy (8bit):6.565748840552441
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:YM0wd8dc9cydWYhWtWWFYg7VWQ4eWydY8p2kacqnajYWx:B0wd8xydWYhWrjY8pUclMK
                                                                                                                                                        MD5:88F89D0F2BD5748ED1AF75889E715E6A
                                                                                                                                                        SHA1:8ADA489B9FF33530A3FB7161CC07B5B11DFB8909
                                                                                                                                                        SHA-256:02C78781BF6CC5F22A0ECEDC3847BFD20BED4065AC028C386D063DC2318C33CC
                                                                                                                                                        SHA-512:1F5A00284CA1D6DC6AE2DFCE306FEBFA6D7D71D421583E4CE6890389334C2D98291E98E992B58136F5D1A41590553E3AD42FB362247AE8ADF60E33397AFBB5DF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!.........................0...............................@.......r....@.........................0................0...................!..............T............................................................................text............................... ..`.rsrc........0......................@..@v...............................:...d...d...................d...........................$...........RSDS.1.....5..MD....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ....1.....5..MD T=...Z.9.X.................................z...z...X...@...(...H...c...~...........................7...Q...n.............................../...J...e...............................#...:...U...r...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-OPH5U.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13760
                                                                                                                                                        Entropy (8bit):6.681985886172717
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:g3sy5NDSWYhWmVWWFYg7VWQ4uWOpxCN8xqnajFs:LU0WYhWmTLaMlZs
                                                                                                                                                        MD5:D0B6A2CAEC62F5477E4E36B991563041
                                                                                                                                                        SHA1:8396E1E02DACE6AE4DDE33B3E432A3581BC38F5D
                                                                                                                                                        SHA-256:FD44D833EA40D50981B3151535618EB57B5513ED824A9963251D07ABFF2BAEDF
                                                                                                                                                        SHA-512:69BD6DF96DE99E6AB9C12D8A1024D20A034A7DB3E2B62E8BE7FDBC838C4E9001D2497B04209E07A5365D00366C794C31EE89B133304E475DDE5F92FDB7FCB0BC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....c!...........!......................... ...............................0...........@.........................0................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v.....................c!........7...d...d.........c!........d.................c!........$...........RSDSTi...:..L?.3".......api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ...Ti...:..L?.3"...:.}Fc........c!..................c!....(.......H...H...X...x.......P...m.......................,...J...h...........................5...V...t.......................'...K...o......................./...Q...v.......

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-PBJI8.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):450952
                                                                                                                                                        Entropy (8bit):6.636302273840038
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:ho0HQo+Oem3turAvbA2VOt4avcG9u5sl1nhUgiW6QR7t5s03Ooc8dHkC2esA1s:W0HQXm3turm9VOtTvc/03Ooc8dHkC2es
                                                                                                                                                        MD5:D3CE785725FFFAB73DB212D0E943A788
                                                                                                                                                        SHA1:74E8E951BE171B434C6DDC1BA7681BC15C8374BC
                                                                                                                                                        SHA-256:08A47A1B10C4BCBAAC64B49ADF4B8F19B37F5B5820416F2D83F2D71B16BB5F93
                                                                                                                                                        SHA-512:8888560DF96776C275C9CB46E379F17E709FEBBA52EEE49DBFBDB72665FF656F6242B498E5B2737FEE6CA92370361F0D853065C1A0C0382665A7015EBE1156EE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........MfA.#5A.#5A.#5./.5C.#5H.5W.#5A."5..#5.."4B.#5..'4J.#5.. 4I.#5..&4.#5..#4@.#5...5@.#5..!4@.#5RichA.#5........................PE..L....m_.........."!.....H...................`.......................................?....@A........................@....................................#......4<...y..8............................x..@......................@....................text....F.......H.................. ..`.data....(...`.......L..............@....idata...............d..............@..@.didat..4............z..............@....rsrc................|..............@..@.reloc..4<.......>..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-QMD9M.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):17864
                                                                                                                                                        Entropy (8bit):6.382738607708961
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:9FvU4x0C5yguNvZ5VQgx3SbwA7yMVIkFGl/WYhWl76tW8pUclMgp:j5yguNvZ5VQgx3SbwA71IkFw5W8pUq
                                                                                                                                                        MD5:F364190706414020C02CF4D531E0229D
                                                                                                                                                        SHA1:5899230B0D7AD96121C3BE0DF99235DDD8A47DC6
                                                                                                                                                        SHA-256:A797C0D43A52E7C8205397225AC931638D73B567683F38DD803195DA9D34EAC2
                                                                                                                                                        SHA-512:A9C8ABBD846AB55942F440E905D1F3864B82257B8DAA44C784B1997A060DE0C0439ECC25A2193032D4D85191535E9253E435DEED23BDF3D3CB48C4209005A02E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....J.............!.........................0...............................@......cb....@.........................0................0...............$...!..............T............................................................................text............................... ..`.rsrc........0....... ..............@..@v....................J..........9...d...d........J..........d................J..........$...........RSDS...mL..w.z....A....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg...0........edata...0..`....rsrc$01....`0.......rsrc$02.... ......mL..w.z....A.OQ..N..(...J...............J......L...............X... .......w.......................%...C...b...........................:...\...{.......................:...[...{.......................@...a...............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-REGAU.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13768
                                                                                                                                                        Entropy (8bit):6.798905181617243
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:6GEOMw3zdp3bwjGzue9/0jCRrndbFWYhWfRDli:6TOMwBprwjGzue9/0jCRrndbB0
                                                                                                                                                        MD5:21519F4D5F1FEA53532A0B152910EF8B
                                                                                                                                                        SHA1:7833AC2C20263C8BE42F67151F9234EB8E4A5515
                                                                                                                                                        SHA-256:5FBD69186F414D1D99AC61C9C15A57390FF21FE995E5C01F1C4E14510B6FB9B1
                                                                                                                                                        SHA-512:97211FAD4AAE2F6A6B783107938F0635C302445E74FC34A26AA386864509919C3F084E80579D2502105D9256AAB9F57EA16137C43344B1C62F64E5BC1125A417
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....f.F...........!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....f.F........@...T...T........f.F........d................f.F........$...........RSDSkR...<...L.,.>......api-ms-win-core-louserzation-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ...kR...<...L.,.>..n.N.#$..E..f.F.........f.F............;...;...H...4... ...........-...\.......................5...U...}...................A...i...................1...n...............O...................O...~...............&...O...|...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-S3L1J.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):13760
                                                                                                                                                        Entropy (8bit):6.681985886172717
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:g3sy5NDSWYhWmVWWFYg7VWQ4uWOpxCN8xqnajFs:LU0WYhWmTLaMlZs
                                                                                                                                                        MD5:D0B6A2CAEC62F5477E4E36B991563041
                                                                                                                                                        SHA1:8396E1E02DACE6AE4DDE33B3E432A3581BC38F5D
                                                                                                                                                        SHA-256:FD44D833EA40D50981B3151535618EB57B5513ED824A9963251D07ABFF2BAEDF
                                                                                                                                                        SHA-512:69BD6DF96DE99E6AB9C12D8A1024D20A034A7DB3E2B62E8BE7FDBC838C4E9001D2497B04209E07A5365D00366C794C31EE89B133304E475DDE5F92FDB7FCB0BC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L.....c!...........!......................... ...............................0...........@.........................0................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@v.....................c!........7...d...d.........c!........d.................c!........$...........RSDSTi...:..L?.3".......api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0........edata... ..`....rsrc$01....` .......rsrc$02.... ...Ti...:..L?.3"...:.}Fc........c!..................c!....(.......H...H...X...x.......P...m.......................,...J...h...........................5...V...t.......................'...K...o......................./...Q...v.......

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-SD5L0.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11712
                                                                                                                                                        Entropy (8bit):6.87820352511638
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:JDQtZ34WYhWVWWFYg7VWQ4uW+Jf8p2kacqnajY2xyU:JDQtZ34WYhWT/f8pUclMqx
                                                                                                                                                        MD5:EB6F7AF7EED6AA9AB03495B62FD3563F
                                                                                                                                                        SHA1:5A60EEBE67ED90F3171970F8339E1404CA1BB311
                                                                                                                                                        SHA-256:148ADEF6A34269E403BB509F9D5260ABE52F413A6C268E8BD9869841D5F2BD02
                                                                                                                                                        SHA-512:A9961212B40EFC12FD1AB3CC6551C97C987E73B6E409C9AB8A5E1B24542F9E5884811F06883BD31D2585219C4F60C30DE2D188788513C01B6CBFE22D539D7875
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L...\@,............!......................... ...............................0.......l....@......................... ...v............ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\@,.........9...T...T.......\@,.........d...............\@,.........$...........RSDS......4.>{{..S.u....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg... ...v....edata... ..`....rsrc$01....` .......rsrc$02.... .........4.>{{..S.usFA..a...c./\@,.............\@,.....................H...........0...r...............?...w...............F...................D...w.......V...............,...[...............-...h...............0...a...........................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-SI4OP.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):76152
                                                                                                                                                        Entropy (8bit):6.779355547596994
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:igTqURG2vo0RwvI7sjBH+cOKXc36r23vEecbiOkNAPy:idURhvZ6vIQVrPysecbiOkKy
                                                                                                                                                        MD5:9E532403774906F0D1E3179D8840674D
                                                                                                                                                        SHA1:DAC4A653D468F873D5F5533E0C91C93FE5BE1E5B
                                                                                                                                                        SHA-256:E30380FB3301B114F4DD4D09A83C8F2B1C0D6885412065F0D163B0FB342D86C0
                                                                                                                                                        SHA-512:9DED622AD9101EBBD7C4447B11FB1AAFA4DDA47BEE76585A6090B2D756D721AD59CF8B6B3D1B40945FDFA27C9C409283BAA5A0D435B1F351AE4BE9675B577706
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ix..-...-...-....|./...$a..&...-.......h..>...h..8...h..1...h..,...hl.,...h..,...Rich-...................PE..L....m_.........."!.........................................................@............@A......................................... ..................x#...0..x....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-SS9TM.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1168840
                                                                                                                                                        Entropy (8bit):6.796126828525289
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:tCjjeiNFnAp+O+R2l2WDPc/9qHrX0cJ/gAp0ei5mcvIZPoy4aVvFjDp:4jyuRR2l2WD6I/bp0erVL
                                                                                                                                                        MD5:2040CDCD779BBEBAD36D36035C675D99
                                                                                                                                                        SHA1:918BC19F55E656F6D6B1E4713604483EB997EA15
                                                                                                                                                        SHA-256:2AD9A105A9CAA24F41E7B1A6F303C07E6FAECEAF3AAF43EBD644D9D5746A4359
                                                                                                                                                        SHA-512:83DC3C7E35F0F83E1224505D04CDBAEE12B7EA37A2C3367CB4FCCC4FFF3E5923CF8A79DD513C33A667D8231B1CC6CFB1E33F957D92E195892060A22F53C7532F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>2._\.._\.._\..'.._\.._].)_\..7..._\..7\.._\..7_.._\..7Y.._\..7R..]\..7X.._\..7..._\..7^.._\.Rich._\.................PE..L.....t...........!......................................................................@A................................p........0...................!...@..T...P...T...........................p...@...............l............................text...p........................... ..`.data...$...........................@....idata..............................@..@.rsrc........0......................@..@.reloc..T....@......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-T1BNR.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21960
                                                                                                                                                        Entropy (8bit):6.271316004393454
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:nt1MCbM4Oe5grykfIgTmLSWYhWZjMlZi:t6gMq5grxfInsYL
                                                                                                                                                        MD5:461D5AF3277EFB5F000B9DF826581B80
                                                                                                                                                        SHA1:935B00C88C2065F98746E2B4353D4369216F1812
                                                                                                                                                        SHA-256:F9CE464B89DD8EA1D5E0B852369FE3A8322B4B9860E5AE401C9A3B797AED17BF
                                                                                                                                                        SHA-512:229BF31A1DE1E84CF238A0DFE0C3A13FEE86DA94D611FBC8FDB65086DEE6A8B1A6BA37C44C5826C3D8CFA120D0FBA9E690D31C5B4E73F98C8362B98BE1EE9600
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....T.>...........!.........................@...............................P............@.........................0....+...........@...............4...!..............T............................................................................text....-.......................... ..`.rsrc........@.......0..............@..@v....................T.>........7...d...d........T.>........d................T.>........$...........RSDS....1...9......E....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg...0....+...edata...@..`....rsrc$01....`@.......rsrc$02.... .......1...9......E...s.......T.>.................T.>............:...:...X...@...(...................(...@...X...p...............................2...K...d...}.................... ... ..A ..m ... ... ... ...!..J!..u!...!...!...!..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-TFOAP.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):264312
                                                                                                                                                        Entropy (8bit):6.715338352324104
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:dO73uRNCsNic+peLSWOvY0VdWOEDuFcXxwIpunEJr2ty+yUIEDvwrPmaiK+iA0c8:dOsB+peLNMLEDukunEJr2tyRrPTf
                                                                                                                                                        MD5:2974485E58533B9BFC4061E11C0174C7
                                                                                                                                                        SHA1:9A8E9CDEC284B865C76CCA129E7BD44885BABB55
                                                                                                                                                        SHA-256:CD1950F423381E5654EB92E5A77EE19AA6E0212FC3729D5710A9EDF57746C2B0
                                                                                                                                                        SHA-512:CE0EF433D7E8D52EC513725327A7A8DCACAE831704CCD4F2B9B243431A408DE40ABFA846D0BBDBBBDF70B6294439392BD8F4723D465E324A4BBF272727E5B43D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D.h.D.h.D.h.M...B.h...i.F.h...i.F.h...m.Q.h...l.N.h...k.G.h..i.C.h.D.i...h..m.I.h..h.E.h....E.h.D...E.h..j.E.h.RichD.h.................PE..L...d.P_...........!.....^..........4f.......p.....f.........................0.......a....@.............................@}..0?..........................x........0......T...........................X...@............p..H............................text....].......^.................. ..`.rdata...M...p...N...b..............@..@.data...D...........................@....rsrc...............................@..@.reloc...0.......2..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-UDEAJ.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1320391
                                                                                                                                                        Entropy (8bit):7.9992888549386585
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:24576:k4oFw1jwkIQfkME2xnmcQqASBneIDIYSTpRyqsa84JAK5f2g:k4o2jwsfk8xmcTAcIYSqqv8CAs2g
                                                                                                                                                        MD5:54DC9CBDE130682C4C26D7240DF349D7
                                                                                                                                                        SHA1:A85369185808000C2F95D348DD32926F23E70459
                                                                                                                                                        SHA-256:B4C873DB0255D52EB4291A152205CC227AC6DFA5ABF50BFCE8758C0260A160CC
                                                                                                                                                        SHA-512:174AC6840FF91C905695DDA4CFA1620503C80A75877C91A89D79200F4EEC6ACB2373336B0F8E42EBEB6C341FF17F56F9EB2B35A61EDDD72945D95AB9D31359C2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:%PDF-1.7.%......2 0 obj<</Storage 3 0 R/Type/Catalog/Version/1.7>>.endobj.14 0 obj<</D(\..\.\. \.\.u..\."\.n\.r..\.\.\.\.e)/Filter/FlateDecode/L 1409/Length 1420/N/demoWM.xo>>stream......y...Q...z......bD.r..&.......%x.n....Qg.o..J..t..0.|../.L...E.6......Fl._.,...bK.(c3 ...i...LT:;..77e......T...A..>..v9.0..R........2.Gu<..I..9@..rk...ON._.{.@.?...;;..T2...~Q...x....lN.g..*.z.._".j..(G.K...yT&...V3.6"L@M..E.h.z3../.[x.'..K...{.R.v.0.-.......r_..6....o..U.n.W.D.....1.......>..&..TB..."....hSK.zb.saF.0....{..@2.>..[.D..]...G3.%..Nu>q. .I..|....l..V..,.vz......-.Q....c...3...t...n.n...........l.M....^.]3... .{...]...|......=..B.;.w.p..k..Y.;.s..m.... ....a:......v..$9ks............(...l....(..f.......m:Vm.j...(.....8...._#.............`.[i..-..7H...b..sk...t"..r1.,...#.|..h..5aA.....L.n..9.|..+T.m.......b.H.a.S2...^.....Gk8..w%>*...[:z.Od..$3..z.*.|5M..O.b..g<y(3...n.*.w].&.....J...?.Dt.N..+^..~.l.zEO...$...2....'=.(8-......Y.....".c@..;E.x.*

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-US2TH.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11416
                                                                                                                                                        Entropy (8bit):6.815621198462554
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:KdWYhWJWWFYg7VWQ4WWeRkJqnajgrTZutRnPZA9S:KdWYhWHsJl0huHnPZA9S
                                                                                                                                                        MD5:CD3CEC3D65AE62FDF044F720245F29C0
                                                                                                                                                        SHA1:C4643779A0F0F377323503F2DB8D2E4D74C738CA
                                                                                                                                                        SHA-256:676A6DA661E0C02E72BEA510F5A48CAE71FDC4DA0B1B089C24BFF87651EC0141
                                                                                                                                                        SHA-512:ACA1029497C5A9D26EE09810639278EB17B8FD11B15C9017C8B578FCED29CEF56F172750C4CC2B0D1EBF8683D29E15DE52A6951FB23D78712E31DDCB41776B0F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L....ARo...........!......................... ...............................0......@$....@......................... ...L............ ..................."..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@.....ARo........8...T...T........ARo........d................ARo........$...........RSDS...+A<...s.O.....api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg... ...L....edata... ..`....rsrc$01....` .......rsrc$02.... ......+A<...s.O.&...x)=.ro2.ARo.................ARo....p...............H...X...h...............B...............!...........api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolu

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-V02DP.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2937426
                                                                                                                                                        Entropy (8bit):7.999721009048782
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:49152:gNIbw9+FObeh8Ec/8R70Ndi927yGt0MXtwolPvXbMN2unFpFQnrXunxD45aD4Aj1:gNIb3ObY8ExsdO27R0M9NlPvrMwzyxDt
                                                                                                                                                        MD5:A156BAC67FDCA2A16112B5EE07396B34
                                                                                                                                                        SHA1:CE1B5BE9C96187DECD752705CE8FE30471B30FF3
                                                                                                                                                        SHA-256:DB64A42B1A2D59139C79DE7C13CA6DD9004544611C62396093C72520BA3EC91C
                                                                                                                                                        SHA-512:24494EAAE5BC0E8CFF551A5454203C7689B3F0DC1F509821E762D7CF8015693F379C82EF2A2659CC29333C4894B3A69F92B3146CCAFA56388FA145765FE08254
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:%PDF-1.7.%......2 0 obj<</Storage 3 0 R/Type/Catalog/Version/1.7>>.endobj.4 0 obj<</D(\.\.\.j\.\.5D\.\(\.;\.\.\.[\\jK\..Wx)/Filter/FlateDecode/L 7463/Length 2964/N/83pv-RKSJ-H>>stream..9.....3.....U+.^...6$.....U......$.+...dC..i.."B..X0fZ%...Po........!.$..Y\..5B...T..d......e.r.....L.q.xOC.B.B.#.. ."j..q..W..M.h....W.C..|8$}*...W.....j.....)|.... EE...$h..#..Lb%w=.f5..sU......v(.9#...Wb.Q.s.hQ.r.....g.v.*I[.#..J....X;.'..a....`4...~Z..X..bQ.._!..b..L..../8.d..7.j.m.3.~}.....)p.+*$..)*.&GjV.lB....2.Nb.=.E.r.K...N.K.1../.,.1U.U.?<..2['......`...X..g..).@."....}W"P...K.{..6.1V..g..dI.....p<..]..^..y.D..u...b......!hpQ?...r.W=.<.:..PN..i].H.....N...%u...X|..G5C .........h]>..........RS.W..J..+4#..\.I.D..k#...=.:..{...6%..n..?..`...X.......W..3.+l0.z.y.'d._[.....n.d..R.O......1.Pi..L<.p.).w)R.N>..._mi.8....!..!...m....d.Aq..;v...?.}.{..y...A...."......i6j..aB.../......._3"~./.jD.=.........=Y.Xf.o..r.pn....S...g....#Y.g..L..........3Q...R.V=[.H

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\is-V173U.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11208
                                                                                                                                                        Entropy (8bit):6.914984712440467
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:UC/b2WYhWIWWFYg7VWQ4eW5AZa8p2kacqnajYhx:UC/b2WYhWoY8pUclMH
                                                                                                                                                        MD5:B181124928D8EB7B6CAA0C2C759155CB
                                                                                                                                                        SHA1:1AADBBD43EFF2DF7BAB51C6F3BDA2EB2623B281A
                                                                                                                                                        SHA-256:24EA638DFA9F40E2F395E26E36D308DB2AB25ED1BAA5C796AC2C560AD4C89D77
                                                                                                                                                        SHA-512:2A43BF4D50D47924374CDE689BE24799C4E1C132C0BC981F5109952D3322E91DD5A9352B53BB55CA79A6EA92E2C387E87C064B9D8C8F519B77FFF973D752DC8F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.PE..L..................!......................... ...............................0............@......................... ................ ...................!..............T............................................................................text............................... ..`.rsrc........ ......................@..@................8...T...T...................d...........................$...........RSDS.0.O..}_.1..j~n....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ........edata... ..`....rsrc$01....` .......rsrc$02.... ....0.O..}_.1..j~n...D....................................................H...t...............'...S...................A...k...................C...l...............6...U.............................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\libcrypto-1_1.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2529816
                                                                                                                                                        Entropy (8bit):6.2349774154874025
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:nS+Pyrz6zwISvMezG5886F1CPwDv3uFfJPPyEii/:S+PypIJezD8K1CPwDv3uFfJZ
                                                                                                                                                        MD5:9B0C4FA8171D2EE4BBD0D46EC70184A0
                                                                                                                                                        SHA1:E5A1A605F14FA0260038862CB02DD80BA43CCAB1
                                                                                                                                                        SHA-256:F9127F8E9D2E498699007E9A5C7FBF2FD7FC5EADD58B1924EB08242E573E2A95
                                                                                                                                                        SHA-512:A1BCA8ED34839124C0ABC7D33F1CECDB5342BAB8F34767EAAA74FFA17022C7FF60A25DA93FDC462A476A8A8571669B746088D85600DE5124DF04D552B26650C6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C...".}.".}.".}.ZI}.".}.J.|.".}.J.|.".}.J.|.".}.J.|.".}.D.|.".}.".}L".}.".}.".}MK.|. .}MK.|.".}MK%}.".}MK.|.".}Rich.".}................PE..L....0k_...........!.....J...p......;H.......`................................'.....`X'...@..........................."..h..d.%.@.....&.|............z&.. ....&.$...@.".8...........................x.".@.............%.d............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data....Y...p%......P%.............@....idata........%......f%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\libcurl.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):453312
                                                                                                                                                        Entropy (8bit):6.654147150103626
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:J7kdHIZ63+flb/ExW7PWNLhKj5oKHW/Q13O3PL6v6j5qts3nSIOWuEJH9Mz:G+6OflDfWN8NoKy43O3PL6yMqQ6m
                                                                                                                                                        MD5:03CBD3D314E8666079A20909D269B80C
                                                                                                                                                        SHA1:20A0EB6B35853A73C57467727100F1D3E607472E
                                                                                                                                                        SHA-256:A482A64296D6075282114CA764B7D14812D338D1CE56475610BA43CAD41C27AE
                                                                                                                                                        SHA-512:67BB82CB2E5ADC140E796897C76BA527B466F41B9D5406A9C93EF777D9F05F8F531A6AD6A6F0716E91D8D6D3E15BBD4EAB21A88B587D83152910F512DF5C7266
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.{F0.(F0.(F0.(OH.(T0.(.E.)D0.( _|(A0.(.E.)J0.(.E.)L0.(.E.)A0.(F0.(.0.(.H.)I0.(.E.).0.(.E.)G0.(.E~(G0.(.E.)G0.(RichF0.(................PE..L......c...........!.....X...j......o].......p.......................................Z....@......................... ].......f..h.......(................*.......>...Y..............................(Y..@............p..P............................text...?V.......X.................. ..`.rdata..h....p.......\..............@..@.data................d..............@....rsrc...(............z..............@..@.reloc...>.......@..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\libssl-1_1.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):539160
                                                                                                                                                        Entropy (8bit):5.767679498376213
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:PksKJlXTd8oLjM54JNv63wwSh3PXU2lvzXv6OV:7IlXp8q230hfXU2lvz/6OV
                                                                                                                                                        MD5:E8B31242BADE80571DE091E389ABCF2B
                                                                                                                                                        SHA1:95CF1683CEBC7EAEE9FCDBA35394FE163F584DB3
                                                                                                                                                        SHA-256:C6ECE484FD7FC0E7FD1BC17B2A1218F0D6E24DDB7F35FBBC0FBFEC0923EE6B45
                                                                                                                                                        SHA-512:0D9D289C007D03E3CB9FB38EBE61E94534432C427B323300066EFA27E0DAB86B18F86C4576F26A15C159131C89790040DEBE1D8635B742E0344D01BF2CEFAC18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^Y...8.K.8.K.8.K.@uK.8.KHP.J.8.K.^.J.8.KHP.J.8.KHP.J.8.KHP.J.8.K.Q.J.8.K.8.K.9.K.Q.J68.K.Q.J.8.K.Q.K.8.K.Q.J.8.KRich.8.K........................PE..L....0k_...........!.........................................................`.......b....@..............................N..............s................ ... ...5......8...............................@............................................text...L........................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..[A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..2=... ...>..................@..B........................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\msvcp120.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):454968
                                                                                                                                                        Entropy (8bit):6.702123748477664
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:/VHbDqy90l5yQBggQerfhUgiW6QR7t5ss3Ooc8DHkC2ehSxPA:tbOqQbnrMs3Ooc8DHkC2ehSxo
                                                                                                                                                        MD5:A883C95684EFF25E71C3B644912C73A5
                                                                                                                                                        SHA1:3F541023690680D002A22F64153EA4E000E5561B
                                                                                                                                                        SHA-256:D672FB07A05FB53CC821DA0FDE823FDFD46071854FE8C6C5EA83D7450B978ECB
                                                                                                                                                        SHA-512:5A47C138D50690828303B1A01B28E6EF67CFE48215D16ED8A70F2BC8DBB4A73A42C37D02CCAE416DC5BD12B7ED14FF692369BC294259B46DBF02DC1073F0CB52
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I..'U.'U.'U.h.U.'U.&U..'U...U.'U...U.'U...U..'U...U..'U...U.'U...U.'U...U.'U...U.'URich.'U................PE..L.../.~W.........."!.........................0............................................@..........................W..L...@...<.......................8?.......D...................................K..@...............@............................text............................... ..`.data....^...0...0..................@....idata...............N..............@..@.rsrc................h..............@..@.reloc...D.......F...l..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\msvcp140.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):450952
                                                                                                                                                        Entropy (8bit):6.636302273840038
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:ho0HQo+Oem3turAvbA2VOt4avcG9u5sl1nhUgiW6QR7t5s03Ooc8dHkC2esA1s:W0HQXm3turm9VOtTvc/03Ooc8dHkC2es
                                                                                                                                                        MD5:D3CE785725FFFAB73DB212D0E943A788
                                                                                                                                                        SHA1:74E8E951BE171B434C6DDC1BA7681BC15C8374BC
                                                                                                                                                        SHA-256:08A47A1B10C4BCBAAC64B49ADF4B8F19B37F5B5820416F2D83F2D71B16BB5F93
                                                                                                                                                        SHA-512:8888560DF96776C275C9CB46E379F17E709FEBBA52EEE49DBFBDB72665FF656F6242B498E5B2737FEE6CA92370361F0D853065C1A0C0382665A7015EBE1156EE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........MfA.#5A.#5A.#5./.5C.#5H.5W.#5A."5..#5.."4B.#5..'4J.#5.. 4I.#5..&4.#5..#4@.#5...5@.#5..!4@.#5RichA.#5........................PE..L....m_.........."!.....H...................`.......................................?....@A........................@....................................#......4<...y..8............................x..@......................@....................text....F.......H.................. ..`.data....(...`.......L..............@....idata...............d..............@..@.didat..4............z..............@....rsrc................|..............@..@.reloc..4<.......>..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\msvcp140_1.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21376
                                                                                                                                                        Entropy (8bit):6.486713548287172
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:2k0HTiHQYmjfFKyaWcw5gWUsadHRN7ya/hl3KS0nyGqU:H2iF0FK4VoySIyRU
                                                                                                                                                        MD5:56F86F08DE73C981031224CDE928DFA8
                                                                                                                                                        SHA1:C009AA8D145276ED5D1FC21F83BF004594B9793F
                                                                                                                                                        SHA-256:8906D59ED097E7B857DD19A5323CB0EAB006AF7D1F20EE233C4C86645C7F3A0B
                                                                                                                                                        SHA-512:6BCF58A60435A90ABC06334FBAE1507015F793760027F75F6696023AF2A88517DC31B87A86984A0B877384BEA73BC444A92293790FDA3420D36CFC0736E4195E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...%..%..%.8i...%....%.2.!..%.2.&..%..$..%.2.$..%.2. ..%.2.%..%.2....%.2.'..%.Rich..%.........................PE..L....m_.........."!................p........0...............................p.......)....@A.........................*..J....@..x....P...............0...#...`..p...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..p....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\msvcr120.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):971064
                                                                                                                                                        Entropy (8bit):6.965132668528083
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:wmFyjHVMxBuwQLYucGp4iiqgNb3HoIbiIw:2My2yRgFoIbnw
                                                                                                                                                        MD5:2FB20C782C237F8B23DF112326048479
                                                                                                                                                        SHA1:B2D5A8B5C0FD735038267914B5080AAB57B78243
                                                                                                                                                        SHA-256:E0305AA54823E6F39D847F8B651B7BD08C085F1DBBCB5C3C1CE1942C0FA1E9FA
                                                                                                                                                        SHA-512:4C1A67DA2A56BC910436F9E339203D939F0BF854B589E26D3F4086277F2BEC3DFCE8B1F60193418C2544EF0C55713C90F6997DF2BFB43F1429F3D00BA46B39B0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0iP.^:P.^:P.^:..:S.^:P._:..^:]L.:..^:]L.:1.^:]L.:f.^:]L.:..^:]L.:Q.^:]L.:Q.^:]L.:Q.^:RichP.^:........PE..L.....~W.........."!.....................................................................@.........................`........R..(....p..................8?......D]......8...............................@............P...............................text...y........................... ..`.data...<e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..D].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\pdf-xpansion-cjk.pds (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2937426
                                                                                                                                                        Entropy (8bit):7.999721009048782
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:49152:gNIbw9+FObeh8Ec/8R70Ndi927yGt0MXtwolPvXbMN2unFpFQnrXunxD45aD4Aj1:gNIb3ObY8ExsdO27R0M9NlPvrMwzyxDt
                                                                                                                                                        MD5:A156BAC67FDCA2A16112B5EE07396B34
                                                                                                                                                        SHA1:CE1B5BE9C96187DECD752705CE8FE30471B30FF3
                                                                                                                                                        SHA-256:DB64A42B1A2D59139C79DE7C13CA6DD9004544611C62396093C72520BA3EC91C
                                                                                                                                                        SHA-512:24494EAAE5BC0E8CFF551A5454203C7689B3F0DC1F509821E762D7CF8015693F379C82EF2A2659CC29333C4894B3A69F92B3146CCAFA56388FA145765FE08254
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:%PDF-1.7.%......2 0 obj<</Storage 3 0 R/Type/Catalog/Version/1.7>>.endobj.4 0 obj<</D(\.\.\.j\.\.5D\.\(\.;\.\.\.[\\jK\..Wx)/Filter/FlateDecode/L 7463/Length 2964/N/83pv-RKSJ-H>>stream..9.....3.....U+.^...6$.....U......$.+...dC..i.."B..X0fZ%...Po........!.$..Y\..5B...T..d......e.r.....L.q.xOC.B.B.#.. ."j..q..W..M.h....W.C..|8$}*...W.....j.....)|.... EE...$h..#..Lb%w=.f5..sU......v(.9#...Wb.Q.s.hQ.r.....g.v.*I[.#..J....X;.'..a....`4...~Z..X..bQ.._!..b..L..../8.d..7.j.m.3.~}.....)p.+*$..)*.&GjV.lB....2.Nb.=.E.r.K...N.K.1../.,.1U.U.?<..2['......`...X..g..).@."....}W"P...K.{..6.1V..g..dI.....p<..]..^..y.D..u...b......!hpQ?...r.W=.<.:..PN..i].H.....N...%u...X|..G5C .........h]>..........RS.W..J..+4#..\.I.D..k#...=.:..{...6%..n..?..`...X.......W..3.+l0.z.y.'d._[.....n.d..R.O......1.Pi..L<.p.).w)R.N>..._mi.8....!..!...m....d.Aq..;v...?.}.{..y...A...."......i6j..aB.../......._3"~./.jD.=.........=Y.Xf.o..r.pn....S...g....#Y.g..L..........3Q...R.V=[.H

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\pdf-xpansion.pds (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1320391
                                                                                                                                                        Entropy (8bit):7.9992888549386585
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:24576:k4oFw1jwkIQfkME2xnmcQqASBneIDIYSTpRyqsa84JAK5f2g:k4o2jwsfk8xmcTAcIYSqqv8CAs2g
                                                                                                                                                        MD5:54DC9CBDE130682C4C26D7240DF349D7
                                                                                                                                                        SHA1:A85369185808000C2F95D348DD32926F23E70459
                                                                                                                                                        SHA-256:B4C873DB0255D52EB4291A152205CC227AC6DFA5ABF50BFCE8758C0260A160CC
                                                                                                                                                        SHA-512:174AC6840FF91C905695DDA4CFA1620503C80A75877C91A89D79200F4EEC6ACB2373336B0F8E42EBEB6C341FF17F56F9EB2B35A61EDDD72945D95AB9D31359C2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:%PDF-1.7.%......2 0 obj<</Storage 3 0 R/Type/Catalog/Version/1.7>>.endobj.14 0 obj<</D(\..\.\. \.\.u..\."\.n\.r..\.\.\.\.e)/Filter/FlateDecode/L 1409/Length 1420/N/demoWM.xo>>stream......y...Q...z......bD.r..&.......%x.n....Qg.o..J..t..0.|../.L...E.6......Fl._.,...bK.(c3 ...i...LT:;..77e......T...A..>..v9.0..R........2.Gu<..I..9@..rk...ON._.{.@.?...;;..T2...~Q...x....lN.g..*.z.._".j..(G.K...yT&...V3.6"L@M..E.h.z3../.[x.'..K...{.R.v.0.-.......r_..6....o..U.n.W.D.....1.......>..&..TB..."....hSK.zb.saF.0....{..@2.>..[.D..]...G3.%..Nu>q. .I..|....l..V..,.vz......-.Q....c...3...t...n.n...........l.M....^.]3... .{...]...|......=..B.;.w.p..k..Y.;.s..m.... ....a:......v..$9ks............(...l....(..f.......m:Vm.j...(.....8...._#.............`.[i..-..7H...b..sk...t"..r1.,...#.|..h..5aA.....L.n..9.|..+T.m.......b.H.a.S2...^.....Gk8..w%>*...[:z.Od..$3..z.*.|5M..O.b..g<y(3...n.*.w].&.....J...?.Dt.N..+^..~.l.zEO...$...2....'=.(8-......Y.....".c@..;E.x.*

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\pdfcore-x86.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):29308848
                                                                                                                                                        Entropy (8bit):6.429221480087082
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:393216:2KMiAG0wPidFOhuTFx0IkcUZ33uk+aEIPtD:2kzidFOSxat3uk+and
                                                                                                                                                        MD5:4C58277BCB810B7B7F07BAAAF0C4D409
                                                                                                                                                        SHA1:A64EC7B797FDABFA81EE71502C6462AFD836FFDD
                                                                                                                                                        SHA-256:26309184E7986C384AE0BECB6916240E71E139DD2FB1A031D3263B79652B1B7A
                                                                                                                                                        SHA-512:FC973BDF9778CEDB565445FBABDECFA880F6C8218C3F5279CC1F9BC400695828372F7489ED4CB9D404BC945DBF7F14964F6C0A977A4F1EB380E63CB6A8EDD1D6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........3;'.RUt.RUt.RUtC.t.RUtC.t7RUtC.t.RUt..Pu.RUt..Vu.RUt..Pu.RUt..Qu.RUt`.Qu.SUt*..t.RUt*..t.RUt.RTt.SUt`.PuLVUt`.Uu.RUte..t.RUt.R.t.RUt`.Wu.RUtRich.RUt........PE..L...,?.Y...........!.....68..`......kF.......P8.....................................}....@.........................p.j.`....j......@............... .......P..T.+.`.^.T.....................^.......^.@............P8..............................text...M58......68................. ..`.rdata..FG2..P8..H2..:8.............@..@.data....i)...j...(...j.............@....gfids..0............r..............@..@.tls......... .......v..............@..._RDATA..0....0.......x..............@..@.rsrc........@.......z..............@..@.reloc..T.+..P....+.................@..B................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\platforms\is-NOM8F.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1248888
                                                                                                                                                        Entropy (8bit):6.841919816679135
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:gXThFe45BxeGLs74ZXmDK5cvG9VsBqIMi/tryKeD9NZfGtqU:g1pBxeGsDKXN+deJGt9
                                                                                                                                                        MD5:261E68A15BD3D3D309427AC8FB96CFCA
                                                                                                                                                        SHA1:A0A7E66C79F22CC7E85C16B64197CA778262FF65
                                                                                                                                                        SHA-256:8A812D9B0EC62DF005DE2D045315B1DE1D42826743BE0C2D29F9BD04803CCA1A
                                                                                                                                                        SHA-512:E94B264E105FF1AB921CC6C395396A691401748D54ECF9E0CDCF51F8E8C951C7AF68E00CA92B92A4FD4398E7DACDDBF6481F680DE3F9031207DCD6DE2F4A7299
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..r..{!..{!..{!v..!k.{!..~ j.{!... u.{!..x w.{!..z {.{!$.. |.{!$.} ~.{!..z {.{!... X.{!$.z j.{!..z!..{!..~ 6.{!..{ ~.{!..!~.{!..y ~.{!Rich..{!........PE..L....lP_...........!.........|...............................................p......U.....@.........................P...x...............H...............x...............T...............................@............................................text............................... ..`.rdata...J.......L..................@..@.data....[... ... ..................@....qtmetad.............$..............@..P.rsrc...H............&..............@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\platforms\qwindows.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1248888
                                                                                                                                                        Entropy (8bit):6.841919816679135
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:gXThFe45BxeGLs74ZXmDK5cvG9VsBqIMi/tryKeD9NZfGtqU:g1pBxeGsDKXN+deJGt9
                                                                                                                                                        MD5:261E68A15BD3D3D309427AC8FB96CFCA
                                                                                                                                                        SHA1:A0A7E66C79F22CC7E85C16B64197CA778262FF65
                                                                                                                                                        SHA-256:8A812D9B0EC62DF005DE2D045315B1DE1D42826743BE0C2D29F9BD04803CCA1A
                                                                                                                                                        SHA-512:E94B264E105FF1AB921CC6C395396A691401748D54ECF9E0CDCF51F8E8C951C7AF68E00CA92B92A4FD4398E7DACDDBF6481F680DE3F9031207DCD6DE2F4A7299
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..r..{!..{!..{!v..!k.{!..~ j.{!... u.{!..x w.{!..z {.{!$.. |.{!$.} ~.{!..z {.{!... X.{!$.z j.{!..z!..{!..~ 6.{!..{ ~.{!..!~.{!..y ~.{!Rich..{!........PE..L....lP_...........!.........|...............................................p......U.....@.........................P...x...............H...............x...............T...............................@............................................text............................... ..`.rdata...J.......L..................@..@.data....[... ... ..................@....qtmetad.............$..............@..P.rsrc...H............&..............@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\styles\is-GOQN9.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):132216
                                                                                                                                                        Entropy (8bit):6.529728833719114
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:2Y8K7wsDv+VehfJChnLdI0w2I7ZL38XG7/zjh4Ge+gejo0ME36coijLX6J6PPgCY:2E1DUvQL3Wizjh4GelYo0ME36coijLXw
                                                                                                                                                        MD5:AF757B9032FDB73815EF427BEBCB3C11
                                                                                                                                                        SHA1:B779DAA523721F947045A4050B7DDCB31A7F5D1E
                                                                                                                                                        SHA-256:4579779711F7346AD1F7D5F6DEF2568E70862CD64E1D511A67E92C210F2AA675
                                                                                                                                                        SHA-512:E95BFF2C5A78906E40542B7F29DF334FD8AA568B880B9AEED50E86B8686A8F5D0D076619F70FA0AC24D6AEDCACC2113956EA72415637E2F4FFE1AB9CADB4BD2B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{f,.............b.......w.~.....w.~.....w.~.....w.~.....r.~....\t.~........!...\t.~....\t.~....\t......\t.~....Rich....................PE..L....lP_...........!.....P..........ZV.......`...............................0.......x....@.................................@...........X...............x...........0s..T...................,t.......s..@............`..d............................text...DO.......P.................. ..`.rdata...s...`...t...T..............@..@.data...............................@....qtmetadm...........................@..P.rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\styles\qwindowsvistastyle.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):132216
                                                                                                                                                        Entropy (8bit):6.529728833719114
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:2Y8K7wsDv+VehfJChnLdI0w2I7ZL38XG7/zjh4Ge+gejo0ME36coijLX6J6PPgCY:2E1DUvQL3Wizjh4GelYo0ME36coijLXw
                                                                                                                                                        MD5:AF757B9032FDB73815EF427BEBCB3C11
                                                                                                                                                        SHA1:B779DAA523721F947045A4050B7DDCB31A7F5D1E
                                                                                                                                                        SHA-256:4579779711F7346AD1F7D5F6DEF2568E70862CD64E1D511A67E92C210F2AA675
                                                                                                                                                        SHA-512:E95BFF2C5A78906E40542B7F29DF334FD8AA568B880B9AEED50E86B8686A8F5D0D076619F70FA0AC24D6AEDCACC2113956EA72415637E2F4FFE1AB9CADB4BD2B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{f,.............b.......w.~.....w.~.....w.~.....w.~.....r.~....\t.~........!...\t.~....\t.~....\t......\t.~....Rich....................PE..L....lP_...........!.....P..........ZV.......`...............................0.......x....@.................................@...........X...............x...........0s..T...................,t.......s..@............`..d............................text...DO.......P.................. ..`.rdata...s...`...t...T..............@..@.data...............................@....qtmetadm...........................@..P.rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_ar.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):57732
                                                                                                                                                        Entropy (8bit):5.400917862390972
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:naa7Ug5gzL5em09/285D5d6wiNdYhReauMPRnwepe2E:nacUg5Uem09Z6VdYhReapnwepe2E
                                                                                                                                                        MD5:8C955BA4ECAD9F82010D8F4ED5F58FBB
                                                                                                                                                        SHA1:7BD48E206CE89E9EC2A25AD9355356A24B4985CD
                                                                                                                                                        SHA-256:FE2BDC52B4F17DCE22975F97C5C038921557BC5CA2017C1A1C9C356684BBA107
                                                                                                                                                        SHA-512:E659B5213829BC31298BB47F745F5C04ABE39AD27BBCE329A720DEF8546172833A74BBCF5993B39387E06119D113DDDAE2259A725F642965260B0926A497EF7A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..W....A..WD...B..W....C..W....D..X....E..X....F..Y0...G..YZ...H..Y....I..Y........................%.../..=..../..B..../..i..../...Y...;.......;.......;.......;.......;...)...;..+....;..8....;..@....;..F....;..L....O.......O..wj...O..{j.......0...t...F..D@..Wn..E....N..F...Z...G.......I...[[..J.......J.......J.......Sg..*...Uo..tL..]...=...]...mE.._..."_.._...w..._....m../!...L......./...y...x...y...7...y..........K............`...t......t........2.......A.......g...%.......D.......0..........*....T......v... .......9................C...5.............8Y..........%M...$...v.......$......H..#.M...|.(....HK.,....^..,.=.._..,.t.._..-.....).4......6'....[.6......D&z.....FU......G.....Z.HY...ZD.HY...Zq.HY...Z..J6......M.....y.Mb...[..PFE.....P.d.....R.|..]Q.R....L..V}......V.......V.......V.......Z]3.....Z.z.....\.d...m.\.......gc...`P.g.D...|.g.D...z.v...../.v.C..__...$..7............$..:...#M.......C..D....g...7..................H#.......A...)......2..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_de.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):64745
                                                                                                                                                        Entropy (8bit):4.806037676893342
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:Ls3Bw0ZS9m6RzPU0vLXTJRfRd42WC0GVax:g3BlS9mOPNvLX9RfRd42WC0GVax
                                                                                                                                                        MD5:E05BE85D044EA71F4BC7140B8EAF21E7
                                                                                                                                                        SHA1:BF89DF34CC8D5F5F604DB1653782FCD70605C37C
                                                                                                                                                        SHA-256:7079AE3F52F85943A7AE17DDE0D9A15F584B9ACC0BAB1843BC8FB96EFBCD9E91
                                                                                                                                                        SHA-512:9C03B8DEE41E275F0CFB504BCB3BBB06292DEE0DEB60BF4BD05694F2D63C1CBB17E6C667F37844E9D8B77FA84E57C48664488851909A0D2C09DCA74A7E07D8A3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..aJ...A..at...B..a....C..a....D..bM...E..c....F..c`...G..c....H..c....I..c................/.......U.../..E..../..I..../..v).../......;.......;...w...;.......;...5...;..#_...;..1....;..@....;..H....;..N....;..U....O..#'...O...T...O...........^...t.....D@..a...E....X..F...d...G....s..I...e...J....|..J.......J....?..Sg../...Uo......]...E...]...y..._...&..._......._....o../!..............y.......y.......y...T......S........S...`...F...............................C...%.......D.......0........../....T...q..v...$.......@....................5...8.........8Y...:......)....$...J..............Q..#.M.....(....P..,....h..,.=..i!.,.t..i..-.......4......6'....9.6....|.D&z.../.FU....k.G.......HY...dt.HY...d..HY...d..J6......M.......Mb...e..PFE.....P.d....R.|..g..R....U..V}......V.....|.V.......V.......Z]3.....Z.z.....\.d..4I.\.......gc...j".g.D...$.g.D.....v.......v.C..iY...$..>........f...$..A...#M.......C..M....g.....................H#......A.........!F..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_en.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):58685
                                                                                                                                                        Entropy (8bit):4.890440342646496
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:AfyrMmj/laUq5ghoU0gDH03oAi47/3PdOIIq4Byjn5DUOl4VC+w+1WCu+eY4f8TU:A6rMmZBq5ghX0/7Iq4BKlPl4VC+wQut
                                                                                                                                                        MD5:EEBC5A7846068D2EDFF17774EC12600F
                                                                                                                                                        SHA1:B2E773E5D63E7FE78E7049081A04F8E34A8BA376
                                                                                                                                                        SHA-256:C25C1C873222011B016CB2CCBFCC7FE98B40FB6612EC9A3F0BF5FE18CE856750
                                                                                                                                                        SHA-512:F324ECE06FB57EADB257D137DF059BCAE11348FE6E63513D34DAA08F78525FF13B1D39B469462E1655E2697E9E2382F226FCC9172E51888BC5A06BD65D6E308C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..X....A..X....B..Y....C..Y;...D..Y....E..ZN...F..Z....G..Z....H..Z....I..[&...............%.......K.../..?..../..C..../..ky.../.......;.......;...[...;.......;.......;.. A...;..,....;..::...;..Al...;..G....;..N....O.. ....O..y*...O..}........T...t......D@..X...E....>..F...\C..G.......I...\...J....*..J.......J.......Sg..,...Uo..u...]...?J..]...n..._...#..._...y..._......./!..............y.......y.......y..........LQ...........`...\......uk.......H...............{...%.......D.......0..........+....T......v...!.......;........j.......c...5.............8Y..........&....$...<..............J..#.M.....(....Io.,....`..,.=..`O.,.t..`..-.......4......6'....3.6......D&z.....FU......G.....f.HY...[..HY...[..HY...\..J6......M.......Mb...]..PFE.....P.d...:.R.|..^..R....M..V}......V.......V.......V.......Z]3.....Z.z.....\.d../..\.....p.gc...aB.g.D...p.g.D.....v.......v.C..`....$..9............$..;...#M.......C..E....g......................H#...;...A...!......X..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_es.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):63475
                                                                                                                                                        Entropy (8bit):4.795438163869372
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:627KbEtBgJLMOiUzl6UhO3I6OdypZU2DK8mRT2kWDYUYvLGzKmvqmA1:6aKoEhM6zlhZuCWDCvCm7
                                                                                                                                                        MD5:B55602949992E50B136C129D9A1B04F9
                                                                                                                                                        SHA1:4ECC62710A4DB1201A6E4EE5E707E20614B97B09
                                                                                                                                                        SHA-256:67E06A77047821445DD3710810EC1EE912CFB084F0645256B3E04E9C4C5E7C38
                                                                                                                                                        SHA-512:0644EE8E0BEA52DC2F014F7A29AC1FEEAF7998124B374A0E27A19B31A23B80D7C7C229F8B58A9C02AE8D28CD68DBB6F8EE659E80F6758F3CA39A9CF8212E138B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..`~...A..`....B..`....C..a'...D..a....E..b:...F..b....G..b....H..b....I..c................).......O.../..E:.../..In.../..tu.../...E...;.......;.......;.......;...+...;..#_...;..0....;..?....;..G....;..No...;..Ug...O..#+...O...(...O...:.......h...t...>..D@..`...E....d..F...d/..G....9..I...d...J....t..J....Q..J.......Sg../...Uo......]...Ep..]...x/.._...&..._......._......./!...T.......w...y.......y.......y..........Sw.......E...`...........m...............?...........%.......D...P...0........../s...T...q..v...$.......@....................5...$.........8Y..........)....$...v..............Q..#.M.....(....Ps.,....h..,.=..hU.,.t..h..-.....?.4......6'..../.6......D&z.....FU....W.G.....z.HY...c..HY...c..HY...d..J6......M.......Mb...d..PFE.....P.d...f.R.|..f..R....U2.V}....S.V.....n.V.......V.......Z]3.....Z.z.....\.d..3..\.......gc...ih.g.D...8.g.D.....v......v.C..h....$..>v...........$..A)..#M.......C..L....g...c..................H#...;...A...e.....!T..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_fr.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):65057
                                                                                                                                                        Entropy (8bit):4.775392635465369
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:Y5R5IlU6sG7dqd6IT29UOtvUBRXdJhKOOSv80lXzzFvz2Vi8bWuSms3QZMqRdL6:2RBOBWOtsTNd8ylus
                                                                                                                                                        MD5:D1C59556DED29D5E268A7A956BCCEE14
                                                                                                                                                        SHA1:D08268DE103B3728C8A88A37B7B761F0AF85476B
                                                                                                                                                        SHA-256:CABAE88C6C4BFD1FEB475C7940ACB38E89201F8122BAEA7FAEDA08385A51FAC3
                                                                                                                                                        SHA-512:05CF84C8E45C193C2ABD236B8B47939D2A349A67D16AE845537DF93095071D430860036E8396F79585E78C59422A6AAC83FCFC45F26BFBDA2050604BA8C3E7AC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..c\...A..c....B..c....C..d....D..d_...E..e....F..er...G..e....H..e....I..e................3.......Y.../..F..../..K$.../..x=.../.......;.......;.......;.......;...!...;..#i...;..1K...;..A....;..IN...;..P-...;..Wm...O..#3...O...|...O...........b...t......D@..c...E....d..F...g...G....s..I...g...J....h..J.......J....Q..Sg..02..Uo......]...F...]...|1.._...'..._......._......./!...........Q...y.......y.......y...h......Uw.......C...`...B.......................q.......7...%.......D.......0..........0....T......v...$.......A........h...........5..........f..8Y.........*+...$.................S..#.M.....(....R[.,....j..,.=..k-.,.t..k..-.......4....o.6'....1.6....p.D&z...S.FU....I.G.......HY...f..HY...f..HY...f..J6......M.....u.Mb...g..PFE.....P.d...0.R.|..i..R....W6.V}......V.....R.V.......V.......Z]3.....Z.z.....\.d..4..\.......gc...l:.g.D...|.g.D...^.v.....m.v.C..kw...$..?............$..Bq..#M......C..N]...g...5..................H#.......A.........!d..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_it.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):63381
                                                                                                                                                        Entropy (8bit):4.779644160958497
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:84IVmQVbV8O76rUB+sqKzU9FmSmSozWkovYPXQQUhFP+DP/EBiZdLxNmdx8:1VQV5J7/BlqRYsP+n
                                                                                                                                                        MD5:B68D3C8B7DFA72D1EC4332EDB78CC4F2
                                                                                                                                                        SHA1:A5772C8969FD1CC9C1D646EBEB5AF138343E9BD4
                                                                                                                                                        SHA-256:88473D4720F1A823B281106653B98BABAC470AC332C019A3623E85D72C6D0D87
                                                                                                                                                        SHA-512:ACA9705418EA26721DC6EEAE353BA3BF4FD44512043D0B53782E77E929E72E2AD6D1B340B04EEBA95B3EED06C3280E347FF704041970614631F797B2EB31D560
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@.._....A.._....B.._....C..`)...D..`....E..a<...F..a....G..a....H..a....I..b................3.......Y.../..C..../..H".../..t..../.......;.......;...y...;...j...;.......;.."....;..0....;..>....;..Fx...;..M....;..T/...O.."....O.......O... ...........t.....D@.._...E.......F...c1..G....g..I...c...J.......J.......J.......Sg......Uo...@..]...D*..]...w..._...&?.._....K.._......./!...............y.......y.......y..........RI...........`...:...................................%...#...D...V...0...............T...O..v...$F......?....................5.............8Y...T......)C...$..................O..#.M.....(....O..,....g..,.=..gW.,.t..g..-.......4....].6'......6......D&z...I.FU......G.......HY...b..HY...b..HY...c..J6......M.......Mb...d..PFE.....P.d.....R.|..e..R....S..V}....G.V.....z.V.......V.......Z]3.....Z.z.....\.d..3I.\.....t.gc...hh.g.D...n.g.D.....v.......v.C..g....$..=............$..@...#M...y...C..KM...g......................H#......A......... ...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_nl.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):64309
                                                                                                                                                        Entropy (8bit):4.7807943343150425
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:JE37pchgvuQUG6OckUzAsPPizZQ56V0HJDRcVkkPabbldvPfF/HR1Bi:WLqhgvEG6OcT+hPabbldvF/g
                                                                                                                                                        MD5:478DD839BF5334C254390B3ADE43E994
                                                                                                                                                        SHA1:D13AC2FD33FD5C1B9C059C63AFF05CF03457343B
                                                                                                                                                        SHA-256:D32043438BA0B249EF5DDE1D411BD07F86E1C332B019E1920F9C0C8CAAE292D6
                                                                                                                                                        SHA-512:DDE95A06706925825E36354D15318DDA0E579C38A84717E8EBB6F4B7BADBA16F87AD422BB485800AA96EE3E742537F1E41E9903F6A6F236C4093FF3B222A2600
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..aR...A..a|...B..a....C..a....D..bU...E..c....F..ch...G..c....H..c....I..c................+.......Q.../..E..../..J(.../..u..../.......;.......;.......;.......;.......;..#....;..0....;..@....;..Hb...;..O7...;..V....O.."....O...n...O...........p...t......D@..a...E.......F...e...G.......I...e...J.......J.......J.......Sg../...Uo......]...E...]...ys.._...&y.._......._....;../!...6..........y.......y...;...y..........T'...........`...................L..................%.......D...(...0..._....../Y...T...?..v...$~......@....................5.............8Y.........)....$..................Q..#.M.....(....Q1.,....h..,.=..i..,.t..i..-.......4.....6'......6......D&z...e.FU....'.G.....$.HY...d|.HY...d..HY...d..J6......M.......Mb...e..PFE.....P.d...B.R.|..g..R....U..V}..../.V.......V.....R.V.....k.Z]3.....Z.z.....\.d..3..\.......gc...j..g.D.....g.D.....v.....{.v.C..iM...$..>............$..Aq..#M......C..Mo...g...A.......a..........H#.......A.........!...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_pl.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):62066
                                                                                                                                                        Entropy (8bit):4.934441152389104
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:u9Ku9eAukifacU2IPTUL7J4DAIiYp7cu1JBPnmm/ACbPSYcaQs3sKgt9xdjbzgBg:qeAea72IPwO3/ACbBnsKg/xdjbzL/
                                                                                                                                                        MD5:2EE023974FB9B122C29C11DEE033323D
                                                                                                                                                        SHA1:26E0B6A676481DE095DF72BC3744BB7F6FC1D16F
                                                                                                                                                        SHA-256:BC137224351AAD3C7CC60F84CE0DBD6CBDE08DE53ABCF945ABDA559D32993B6C
                                                                                                                                                        SHA-512:0B3C8D6EA8D00B33368AD674238E0F4ACF3CC376877B00183F7348F451BBA72E18D0A0993A71E372B59AC96B88C600C74C2C47BF66E8CB38D9C5827AFE8E9266
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..^....A..^-...B..^....C..^....D.._....E.._....F..`....G..`C...H..`m...I..`........................E.../..B..../..G..../..r..../...C...;.......;.......;.......;.......;.."....;../G...;..=....;..E:...;..K....;..R....O..!....O.......O...........N...t......D@..^W..E....*..F...a...G....<..I...bX..J....:..J....,..J....d..Sg...2..Uo..|...]...B...]...u..._...%Q.._......._......./!...L.......$...y.......y.......y..........P............`..........|........................F...%.......D.......0..........-....T......v...#r......>a.......a.......z...5..........3..8Y...7......(a...$..................N..#.M...*.(....M..,....e..,.=..e..,.t..fb.-.....B.4......6'......6......D&z.....FU......G.......HY...a-.HY...aZ.HY...a..J6......M.....2.Mb...b..PFE.....P.d...x.R.|..dN.R....R..V}......V.......V.....}.V.......Z]3...u.Z.z.....\.d..2-.\.......gc...f..g.D...-.g.D...#.v.....?.v.C..f....$..<B...........$..>...#M.......C..J8...g...S...............y..H#.......A...x.........

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_pt.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):62891
                                                                                                                                                        Entropy (8bit):4.823364078120669
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:HM0kVXe1I/LCXU1ZBUH7uUF1kGCvs8eN/0S4Lhh7a9nKoJ+MVSLze:HKZgI/H1ZuCTh7g7
                                                                                                                                                        MD5:B2157DA8DD5BF92C15AA1F71791C9EFB
                                                                                                                                                        SHA1:BBD31B6B6A84ADA045C9525C35F14234D4768866
                                                                                                                                                        SHA-256:1059322DFFE9E89A3AC30DD6909BB557A7A4ED846964E4CBDC61B9CAD1C09ADC
                                                                                                                                                        SHA-512:C10538AF718448D2DA5E6DB8884C207FB71984A499FE61B3F9060F5F5CE282F9AF0A86F15FCC7D2CDBCCAC423796CF5B891D1D12E2AFAF520B5AC90E765AC3C4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..^N...A..^x...B..^....C..^....D.._Q...E..`....F..`d...G..`....H..`....I..`........................9.../..Cd.../..G..../..r'.../.......;.......;...%...;.......;...k...;.."....;../....;..>B...;..E....;..Lq...;..S1...O.."[...O.......O...........B...t.....D@..^...E.......F...a...G....5..I...b...J....T..J....Y..J.......Sg......Uo..}...]...C...]...u..._...&..._...._.._....5../!...............y.......y.......y..........Qc...........`..........}K.......~...................%.......D...0...0...g...........T......v...$.......?)...................5...^.........8Y...J......)!...$...:.......d......O..#.M.....(....Nk.,....e..,.=..f..,.t..f..-.......4....c.6'....i.6......D&z...A.FU......G.....h.HY...ax.HY...a..HY...a..J6......M.......Mb...b..PFE.....P.d.....R.|..d..R....S..V}....#.V.....N.V.......V.....].Z]3.....Z.z...&.\.d..2..\.......gc...g..g.D...$.g.D.....v.......v.C..fU...$..=............$..?...#M......C..J....g......................H#.......A...c..... ...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_ru.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):62763
                                                                                                                                                        Entropy (8bit):5.455115657023205
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:FNJnsaI8wma3Y/wG4mnDhkisaDpT42OuweoJ1H1LYJ:FfnsiDzoisH8
                                                                                                                                                        MD5:1E7324A5A009133A83ECD4ECD2942F04
                                                                                                                                                        SHA1:FD85F1E55CABBA7D3FEE7860529FB30CBB93677B
                                                                                                                                                        SHA-256:6A01D8E8013BF6DA4A5DB0351C1307A3E18830B00BEE5B348BBC0F51E2209747
                                                                                                                                                        SHA-512:3C105DB44A6FEBE5252EA35B8B4B9930B30BAC3275EFD0AA7A771EDFEE34235CCA31AD1AE16F0C3B2461E9C9A0D0D2FE26674C6D706E1E1DE1D42F45169E50D5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B...w...@..^?...A..^i...B..^....C..^....D.._B...E.._....F..`U...G..`....H..`....I..`............................/..C .../..G=.../..rt.../......;.......;...a...;...D...;...y...;.."....;../....;..>*...;..E....;..L8...;..R....O.."i...O.......O...........,...t.....D@..^...E.......F...a...G.......I...b...J....P..J....:..J.......Sg......Uo..}...]...CX..]...v..._...%..._....B.._......./!...............y.......y.......y..........Q............`..........}J...........................%...B...D...u...0...............T...D..v...$.......?........1.......P...5.............8Y...c......)....$...-.......m......N..#.M.....(....N..,....e..,.=..fE.,.t..f..-.....0.4..../.6'......6....'.D&z.....FU......G.....s.HY...ai.HY...a..HY...a..J6......M.......Mb...b..PFE.....P.d....R.|..d..R....R..V}....x.V.....H.V.......V.......Z]3...E.Z.z...N.\.d..2..\.....F.gc...g..g.D...!.g.D.....v.......v.C..f....$..<............$..?...#M...+...C..Jb...g......................H#.......A...R..... ...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_th.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):57617
                                                                                                                                                        Entropy (8bit):5.544709954027822
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:8nygJLT9D7CxAAVLPdWsdJONjqSERWYZjqyaf:8XlCmqPxvif
                                                                                                                                                        MD5:7255EF532F10A3C31ABA62F94D5B80FB
                                                                                                                                                        SHA1:93AEF95E55F592FEE6EB45C1E4EC903F5FDD6288
                                                                                                                                                        SHA-256:F0C478A1263EFCD00F6E3A307A46CF2B033AAF6CAF6241DC88A265AD89139573
                                                                                                                                                        SHA-512:89C579CACB866E4A8FE8E8BF235751A0034C9B588289CC4C914A01009E84E291FDB1C21DDC82FF2C931CEC9C3C6CFF9F65021E1E65F3172EE39937EFCB3A2593
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..WS...A..W}...B..W....C..W....D..XV...E..Y....F..Yi...G..Y....H..Y....I..Y........................1.../..>..../..BY.../..i|.../...a...;.......;.......;...X...;.......;.. ....;..,....;..9|...;..A....;..F....;..M....O.......O..v....O..z........@...t...A..D@..W...E.......F...[...G....6..I...[...J....(..J.......J.......Sg..+...Uo..sq..]...>...]...m..._...#q.._...w\.._...~.../!...V...........y.......y.......y.../......KT...........`..........s<...........................%.......D...'...0...V......+....T...L..v...!d......:a...................5..........+..8Y..........&i...$...5......._......I0.#.M.....(....H..,....^..,.=.._..,.t.._v.-.......4....a.6'......6......D&z...~.FU......G.......HY...Z}.HY...Z..HY...Z..J6......M.......Mb...[..PFE.....P.d.....R.|..]..R....L..V}......V.......V.....K.V.......Z]3...=.Z.z...V.\.d../7.\.....N.gc..._..g.D.....g.D.....v.......v.C.._:...$..8Z...........$..:...#M.......C..E6...g...O.......\..........H#.......A..........(..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_tr.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60425
                                                                                                                                                        Entropy (8bit):4.949401711913344
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:Qa6nrcBoMKRiPlwnCghUeepp0T6socBXoYKwVjbgf7PGjO:QLQBoMK+wnCghUeeMT6ZgXXKwVbgf7PZ
                                                                                                                                                        MD5:14DDA725FFEC576D355634283DC77025
                                                                                                                                                        SHA1:48126BDE0ABCB6A12EA9051B312B9A2F428AA2EC
                                                                                                                                                        SHA-256:C16B3985C0399CD668246DD58915F6C356C849176CB84AAE7D8A3D5F5B6392BB
                                                                                                                                                        SHA-512:3FF0705A08E5548200D7917BB1E773F703340E8CDF75173FCC0B6710369952BECD05C684A2D1495259C06AF033A22B817A6428EFAD4CBF955A62D821E43ABBB5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..\;...A..\e...B..\....C..\....D..]>...E..]....F..^Q...G..^{...H..^....I..^........................?.../..Ax.../..E..../..o..../.......;.......;.......;...v...;.......;..!E...;...M...;..;....;..D|...;..J|...;..Q0...O..!....O..}9...O...g.......H...t......D@..\...E.......F..._...G.......I...`|..J.... ..J.......J.......Sg..-^..Uo..y...]...A...]...r..._...$..._...}..._......./!.............y.......y.......y...'......OZ...........`...s......y...........................%.......D...A...0...r......-+...T...|..v...".......<....................5.............8Y...o......'....$..................M..#.M.....(....LV.,....c..,.=..c..,.t..dT.-.....0.4......6'......6......D&z...j.FU......G.......HY..._e.HY..._..HY..._..J6......M.....z.Mb...`..PFE.....P.d.....R.|..br.R....P..V}....".V.......V.......V.....^.Z]3.....Z.z...f.\.d..1..\.....N.gc...d..g.D...!.g.D...[.v......v.C..d....$..:............$..=_..#M...y...C..H....g..................[..H#.......A.............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\icepdfeditor_zh_cn.qm (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):46377
                                                                                                                                                        Entropy (8bit):5.790331245678028
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:uYcJVbBo0NV4ZURc6Uks0fEjJYkcEyPG4qKpOXAZljrqxKaw5O:uYcnFo0LRch1hAZljm
                                                                                                                                                        MD5:73B734057DFE2B181D3924767B9EF8CF
                                                                                                                                                        SHA1:30C6C0AF41354576D17E663CD88FE13F96A7A050
                                                                                                                                                        SHA-256:BEA559B2E950A9C5A8AE20C7F48C728482AFC2722E12CFD5A03DB7F1EE826F03
                                                                                                                                                        SHA-512:325EC3E1CE754532A00B030BB6FD59F5795E47BB42594FCF45E0270F1064CAE9EB9F1E858FE8E05F72BC934636C658067F6260FE75E260451B58F8267E625139
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B...i...@..Dk...A..D....B..D....C..E....D..En...E..F'...F..F....G..F....H..F....I..F............................/..1..../..4..../..T..../.......;.......;...3...;...j...;...5...;.......;..$/...;..-n...;..3....;..7....;..<Z...O...k...O..^!...O..a/...........t...y..D@..D...E.......F...H...G...rj..I...H...J....j..J...t...J...x"..Sg..#t..Uo..[...]...14..]...V..._....m.._...^..._...c.../!...........^...y.......y..s....y..ww......:............`..s.......[V......x........*......x....%..y....D..y....0..z&......#K...T..f...v............'......|#......|....5.........~'..8Y...A...........$...Y......kq......9R.#.M.....(....8..,....K..,.=..L..,.t..L..-.....N.4......6'......6...x..D&z.....FU....5.G....w..HY...G..HY...G..HY...G..J6......M.....t.Mb...H..PFE...W.P.d.....R.|..J..R....<-.V}...{..V.......V....u).V....{..Z]3.....Z.z.....\.d..&-.\.......gc...L..g.D..n#.g.D.....v.......v.C..LF...$..,........?...$......#M.......C..6D...g..._......o^......o...H#.......A..q..........

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-0IDNT.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):62763
                                                                                                                                                        Entropy (8bit):5.455115657023205
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:FNJnsaI8wma3Y/wG4mnDhkisaDpT42OuweoJ1H1LYJ:FfnsiDzoisH8
                                                                                                                                                        MD5:1E7324A5A009133A83ECD4ECD2942F04
                                                                                                                                                        SHA1:FD85F1E55CABBA7D3FEE7860529FB30CBB93677B
                                                                                                                                                        SHA-256:6A01D8E8013BF6DA4A5DB0351C1307A3E18830B00BEE5B348BBC0F51E2209747
                                                                                                                                                        SHA-512:3C105DB44A6FEBE5252EA35B8B4B9930B30BAC3275EFD0AA7A771EDFEE34235CCA31AD1AE16F0C3B2461E9C9A0D0D2FE26674C6D706E1E1DE1D42F45169E50D5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B...w...@..^?...A..^i...B..^....C..^....D.._B...E.._....F..`U...G..`....H..`....I..`............................/..C .../..G=.../..rt.../......;.......;...a...;...D...;...y...;.."....;../....;..>*...;..E....;..L8...;..R....O.."i...O.......O...........,...t.....D@..^...E.......F...a...G.......I...b...J....P..J....:..J.......Sg......Uo..}...]...CX..]...v..._...%..._....B.._......./!...............y.......y.......y..........Q............`..........}J...........................%...B...D...u...0...............T...D..v...$.......?........1.......P...5.............8Y...c......)....$...-.......m......N..#.M.....(....N..,....e..,.=..fE.,.t..f..-.....0.4..../.6'......6....'.D&z.....FU......G.....s.HY...ai.HY...a..HY...a..J6......M.......Mb...b..PFE.....P.d....R.|..d..R....R..V}....x.V.....H.V.......V.......Z]3...E.Z.z...N.\.d..2..\.....F.gc...g..g.D...!.g.D.....v.......v.C..f....$..<............$..?...#M...+...C..Jb...g......................H#.......A...R..... ...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-6OSFV.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):46377
                                                                                                                                                        Entropy (8bit):5.790331245678028
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:uYcJVbBo0NV4ZURc6Uks0fEjJYkcEyPG4qKpOXAZljrqxKaw5O:uYcnFo0LRch1hAZljm
                                                                                                                                                        MD5:73B734057DFE2B181D3924767B9EF8CF
                                                                                                                                                        SHA1:30C6C0AF41354576D17E663CD88FE13F96A7A050
                                                                                                                                                        SHA-256:BEA559B2E950A9C5A8AE20C7F48C728482AFC2722E12CFD5A03DB7F1EE826F03
                                                                                                                                                        SHA-512:325EC3E1CE754532A00B030BB6FD59F5795E47BB42594FCF45E0270F1064CAE9EB9F1E858FE8E05F72BC934636C658067F6260FE75E260451B58F8267E625139
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B...i...@..Dk...A..D....B..D....C..E....D..En...E..F'...F..F....G..F....H..F....I..F............................/..1..../..4..../..T..../.......;.......;...3...;...j...;...5...;.......;..$/...;..-n...;..3....;..7....;..<Z...O...k...O..^!...O..a/...........t...y..D@..D...E.......F...H...G...rj..I...H...J....j..J...t...J...x"..Sg..#t..Uo..[...]...14..]...V..._....m.._...^..._...c.../!...........^...y.......y..s....y..ww......:............`..s.......[V......x........*......x....%..y....D..y....0..z&......#K...T..f...v............'......|#......|....5.........~'..8Y...A...........$...Y......kq......9R.#.M.....(....8..,....K..,.=..L..,.t..L..-.....N.4......6'......6...x..D&z.....FU....5.G....w..HY...G..HY...G..HY...G..J6......M.....t.Mb...H..PFE...W.P.d.....R.|..J..R....<-.V}...{..V.......V....u).V....{..Z]3.....Z.z.....\.d..&-.\.......gc...L..g.D..n#.g.D.....v.......v.C..LF...$..,........?...$......#M.......C..6D...g..._......o^......o...H#.......A..q..........

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-81KSO.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60425
                                                                                                                                                        Entropy (8bit):4.949401711913344
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:Qa6nrcBoMKRiPlwnCghUeepp0T6socBXoYKwVjbgf7PGjO:QLQBoMK+wnCghUeeMT6ZgXXKwVbgf7PZ
                                                                                                                                                        MD5:14DDA725FFEC576D355634283DC77025
                                                                                                                                                        SHA1:48126BDE0ABCB6A12EA9051B312B9A2F428AA2EC
                                                                                                                                                        SHA-256:C16B3985C0399CD668246DD58915F6C356C849176CB84AAE7D8A3D5F5B6392BB
                                                                                                                                                        SHA-512:3FF0705A08E5548200D7917BB1E773F703340E8CDF75173FCC0B6710369952BECD05C684A2D1495259C06AF033A22B817A6428EFAD4CBF955A62D821E43ABBB5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..\;...A..\e...B..\....C..\....D..]>...E..]....F..^Q...G..^{...H..^....I..^........................?.../..Ax.../..E..../..o..../.......;.......;.......;...v...;.......;..!E...;...M...;..;....;..D|...;..J|...;..Q0...O..!....O..}9...O...g.......H...t......D@..\...E.......F..._...G.......I...`|..J.... ..J.......J.......Sg..-^..Uo..y...]...A...]...r..._...$..._...}..._......./!.............y.......y.......y...'......OZ...........`...s......y...........................%.......D...A...0...r......-+...T...|..v...".......<....................5.............8Y...o......'....$..................M..#.M.....(....LV.,....c..,.=..c..,.t..dT.-.....0.4......6'......6......D&z...j.FU......G.......HY..._e.HY..._..HY..._..J6......M.....z.Mb...`..PFE.....P.d.....R.|..br.R....P..V}....".V.......V.......V.....^.Z]3.....Z.z...f.\.d..1..\.....N.gc...d..g.D...!.g.D...[.v......v.C..d....$..:............$..=_..#M...y...C..H....g..................[..H#.......A.............

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-ARI1L.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):63381
                                                                                                                                                        Entropy (8bit):4.779644160958497
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:84IVmQVbV8O76rUB+sqKzU9FmSmSozWkovYPXQQUhFP+DP/EBiZdLxNmdx8:1VQV5J7/BlqRYsP+n
                                                                                                                                                        MD5:B68D3C8B7DFA72D1EC4332EDB78CC4F2
                                                                                                                                                        SHA1:A5772C8969FD1CC9C1D646EBEB5AF138343E9BD4
                                                                                                                                                        SHA-256:88473D4720F1A823B281106653B98BABAC470AC332C019A3623E85D72C6D0D87
                                                                                                                                                        SHA-512:ACA9705418EA26721DC6EEAE353BA3BF4FD44512043D0B53782E77E929E72E2AD6D1B340B04EEBA95B3EED06C3280E347FF704041970614631F797B2EB31D560
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@.._....A.._....B.._....C..`)...D..`....E..a<...F..a....G..a....H..a....I..b................3.......Y.../..C..../..H".../..t..../.......;.......;...y...;...j...;.......;.."....;..0....;..>....;..Fx...;..M....;..T/...O.."....O.......O... ...........t.....D@.._...E.......F...c1..G....g..I...c...J.......J.......J.......Sg......Uo...@..]...D*..]...w..._...&?.._....K.._......./!...............y.......y.......y..........RI...........`...:...................................%...#...D...V...0...............T...O..v...$F......?....................5.............8Y...T......)C...$..................O..#.M.....(....O..,....g..,.=..gW.,.t..g..-.......4....].6'......6......D&z...I.FU......G.......HY...b..HY...b..HY...c..J6......M.......Mb...d..PFE.....P.d.....R.|..e..R....S..V}....G.V.....z.V.......V.......Z]3.....Z.z.....\.d..3I.\.....t.gc...hh.g.D...n.g.D.....v.......v.C..g....$..=............$..@...#M...y...C..KM...g......................H#......A......... ...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-BD4Q1.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):64309
                                                                                                                                                        Entropy (8bit):4.7807943343150425
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:JE37pchgvuQUG6OckUzAsPPizZQ56V0HJDRcVkkPabbldvPfF/HR1Bi:WLqhgvEG6OcT+hPabbldvF/g
                                                                                                                                                        MD5:478DD839BF5334C254390B3ADE43E994
                                                                                                                                                        SHA1:D13AC2FD33FD5C1B9C059C63AFF05CF03457343B
                                                                                                                                                        SHA-256:D32043438BA0B249EF5DDE1D411BD07F86E1C332B019E1920F9C0C8CAAE292D6
                                                                                                                                                        SHA-512:DDE95A06706925825E36354D15318DDA0E579C38A84717E8EBB6F4B7BADBA16F87AD422BB485800AA96EE3E742537F1E41E9903F6A6F236C4093FF3B222A2600
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..aR...A..a|...B..a....C..a....D..bU...E..c....F..ch...G..c....H..c....I..c................+.......Q.../..E..../..J(.../..u..../.......;.......;.......;.......;.......;..#....;..0....;..@....;..Hb...;..O7...;..V....O.."....O...n...O...........p...t......D@..a...E.......F...e...G.......I...e...J.......J.......J.......Sg../...Uo......]...E...]...ys.._...&y.._......._....;../!...6..........y.......y...;...y..........T'...........`...................L..................%.......D...(...0..._....../Y...T...?..v...$~......@....................5.............8Y.........)....$..................Q..#.M.....(....Q1.,....h..,.=..i..,.t..i..-.......4.....6'......6......D&z...e.FU....'.G.....$.HY...d|.HY...d..HY...d..J6......M.......Mb...e..PFE.....P.d...B.R.|..g..R....U..V}..../.V.......V.....R.V.....k.Z]3.....Z.z.....\.d..3..\.......gc...j..g.D.....g.D.....v.....{.v.C..iM...$..>............$..Aq..#M......C..Mo...g...A.......a..........H#.......A.........!...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-LJJJ3.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):57732
                                                                                                                                                        Entropy (8bit):5.400917862390972
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:naa7Ug5gzL5em09/285D5d6wiNdYhReauMPRnwepe2E:nacUg5Uem09Z6VdYhReapnwepe2E
                                                                                                                                                        MD5:8C955BA4ECAD9F82010D8F4ED5F58FBB
                                                                                                                                                        SHA1:7BD48E206CE89E9EC2A25AD9355356A24B4985CD
                                                                                                                                                        SHA-256:FE2BDC52B4F17DCE22975F97C5C038921557BC5CA2017C1A1C9C356684BBA107
                                                                                                                                                        SHA-512:E659B5213829BC31298BB47F745F5C04ABE39AD27BBCE329A720DEF8546172833A74BBCF5993B39387E06119D113DDDAE2259A725F642965260B0926A497EF7A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..W....A..WD...B..W....C..W....D..X....E..X....F..Y0...G..YZ...H..Y....I..Y........................%.../..=..../..B..../..i..../...Y...;.......;.......;.......;.......;...)...;..+....;..8....;..@....;..F....;..L....O.......O..wj...O..{j.......0...t...F..D@..Wn..E....N..F...Z...G.......I...[[..J.......J.......J.......Sg..*...Uo..tL..]...=...]...mE.._..."_.._...w..._....m../!...L......./...y...x...y...7...y..........K............`...t......t........2.......A.......g...%.......D.......0..........*....T......v... .......9................C...5.............8Y..........%M...$...v.......$......H..#.M...|.(....HK.,....^..,.=.._..,.t.._..-.....).4......6'....[.6......D&z.....FU......G.....Z.HY...ZD.HY...Zq.HY...Z..J6......M.....y.Mb...[..PFE.....P.d.....R.|..]Q.R....L..V}......V.......V.......V.......Z]3.....Z.z.....\.d...m.\.......gc...`P.g.D...|.g.D...z.v...../.v.C..__...$..7............$..:...#M.......C..D....g...7..................H#.......A...)......2..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-LTORS.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):64745
                                                                                                                                                        Entropy (8bit):4.806037676893342
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:Ls3Bw0ZS9m6RzPU0vLXTJRfRd42WC0GVax:g3BlS9mOPNvLX9RfRd42WC0GVax
                                                                                                                                                        MD5:E05BE85D044EA71F4BC7140B8EAF21E7
                                                                                                                                                        SHA1:BF89DF34CC8D5F5F604DB1653782FCD70605C37C
                                                                                                                                                        SHA-256:7079AE3F52F85943A7AE17DDE0D9A15F584B9ACC0BAB1843BC8FB96EFBCD9E91
                                                                                                                                                        SHA-512:9C03B8DEE41E275F0CFB504BCB3BBB06292DEE0DEB60BF4BD05694F2D63C1CBB17E6C667F37844E9D8B77FA84E57C48664488851909A0D2C09DCA74A7E07D8A3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..aJ...A..at...B..a....C..a....D..bM...E..c....F..c`...G..c....H..c....I..c................/.......U.../..E..../..I..../..v).../......;.......;...w...;.......;...5...;..#_...;..1....;..@....;..H....;..N....;..U....O..#'...O...T...O...........^...t.....D@..a...E....X..F...d...G....s..I...e...J....|..J.......J....?..Sg../...Uo......]...E...]...y..._...&..._......._....o../!..............y.......y.......y...T......S........S...`...F...............................C...%.......D.......0........../....T...q..v...$.......@....................5...8.........8Y...:......)....$...J..............Q..#.M.....(....P..,....h..,.=..i!.,.t..i..-.......4......6'....9.6....|.D&z.../.FU....k.G.......HY...dt.HY...d..HY...d..J6......M.......Mb...e..PFE.....P.d....R.|..g..R....U..V}......V.....|.V.......V.......Z]3.....Z.z.....\.d..4I.\.......gc...j".g.D...$.g.D.....v.......v.C..iY...$..>........f...$..A...#M.......C..M....g.....................H#......A.........!F..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-NVD4K.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):63475
                                                                                                                                                        Entropy (8bit):4.795438163869372
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:627KbEtBgJLMOiUzl6UhO3I6OdypZU2DK8mRT2kWDYUYvLGzKmvqmA1:6aKoEhM6zlhZuCWDCvCm7
                                                                                                                                                        MD5:B55602949992E50B136C129D9A1B04F9
                                                                                                                                                        SHA1:4ECC62710A4DB1201A6E4EE5E707E20614B97B09
                                                                                                                                                        SHA-256:67E06A77047821445DD3710810EC1EE912CFB084F0645256B3E04E9C4C5E7C38
                                                                                                                                                        SHA-512:0644EE8E0BEA52DC2F014F7A29AC1FEEAF7998124B374A0E27A19B31A23B80D7C7C229F8B58A9C02AE8D28CD68DBB6F8EE659E80F6758F3CA39A9CF8212E138B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..`~...A..`....B..`....C..a'...D..a....E..b:...F..b....G..b....H..b....I..c................).......O.../..E:.../..In.../..tu.../...E...;.......;.......;.......;...+...;..#_...;..0....;..?....;..G....;..No...;..Ug...O..#+...O...(...O...:.......h...t...>..D@..`...E....d..F...d/..G....9..I...d...J....t..J....Q..J.......Sg../...Uo......]...Ep..]...x/.._...&..._......._......./!...T.......w...y.......y.......y..........Sw.......E...`...........m...............?...........%.......D...P...0........../s...T...q..v...$.......@....................5...$.........8Y..........)....$...v..............Q..#.M.....(....Ps.,....h..,.=..hU.,.t..h..-.....?.4......6'..../.6......D&z.....FU....W.G.....z.HY...c..HY...c..HY...d..J6......M.......Mb...d..PFE.....P.d...f.R.|..f..R....U2.V}....S.V.....n.V.......V.......Z]3.....Z.z.....\.d..3..\.......gc...ih.g.D...8.g.D.....v......v.C..h....$..>v...........$..A)..#M.......C..L....g...c..................H#...;...A...e.....!T..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-PIHK5.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):57617
                                                                                                                                                        Entropy (8bit):5.544709954027822
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:8nygJLT9D7CxAAVLPdWsdJONjqSERWYZjqyaf:8XlCmqPxvif
                                                                                                                                                        MD5:7255EF532F10A3C31ABA62F94D5B80FB
                                                                                                                                                        SHA1:93AEF95E55F592FEE6EB45C1E4EC903F5FDD6288
                                                                                                                                                        SHA-256:F0C478A1263EFCD00F6E3A307A46CF2B033AAF6CAF6241DC88A265AD89139573
                                                                                                                                                        SHA-512:89C579CACB866E4A8FE8E8BF235751A0034C9B588289CC4C914A01009E84E291FDB1C21DDC82FF2C931CEC9C3C6CFF9F65021E1E65F3172EE39937EFCB3A2593
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..WS...A..W}...B..W....C..W....D..XV...E..Y....F..Yi...G..Y....H..Y....I..Y........................1.../..>..../..BY.../..i|.../...a...;.......;.......;...X...;.......;.. ....;..,....;..9|...;..A....;..F....;..M....O.......O..v....O..z........@...t...A..D@..W...E.......F...[...G....6..I...[...J....(..J.......J.......Sg..+...Uo..sq..]...>...]...m..._...#q.._...w\.._...~.../!...V...........y.......y.......y.../......KT...........`..........s<...........................%.......D...'...0...V......+....T...L..v...!d......:a...................5..........+..8Y..........&i...$...5......._......I0.#.M.....(....H..,....^..,.=.._..,.t.._v.-.......4....a.6'......6......D&z...~.FU......G.......HY...Z}.HY...Z..HY...Z..J6......M.......Mb...[..PFE.....P.d.....R.|..]..R....L..V}......V.......V.....K.V.......Z]3...=.Z.z...V.\.d../7.\.....N.gc..._..g.D.....g.D.....v.......v.C.._:...$..8Z...........$..:...#M.......C..E6...g...O.......\..........H#.......A..........(..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-RC324.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):58685
                                                                                                                                                        Entropy (8bit):4.890440342646496
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:AfyrMmj/laUq5ghoU0gDH03oAi47/3PdOIIq4Byjn5DUOl4VC+w+1WCu+eY4f8TU:A6rMmZBq5ghX0/7Iq4BKlPl4VC+wQut
                                                                                                                                                        MD5:EEBC5A7846068D2EDFF17774EC12600F
                                                                                                                                                        SHA1:B2E773E5D63E7FE78E7049081A04F8E34A8BA376
                                                                                                                                                        SHA-256:C25C1C873222011B016CB2CCBFCC7FE98B40FB6612EC9A3F0BF5FE18CE856750
                                                                                                                                                        SHA-512:F324ECE06FB57EADB257D137DF059BCAE11348FE6E63513D34DAA08F78525FF13B1D39B469462E1655E2697E9E2382F226FCC9172E51888BC5A06BD65D6E308C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..X....A..X....B..Y....C..Y;...D..Y....E..ZN...F..Z....G..Z....H..Z....I..[&...............%.......K.../..?..../..C..../..ky.../.......;.......;...[...;.......;.......;.. A...;..,....;..::...;..Al...;..G....;..N....O.. ....O..y*...O..}........T...t......D@..X...E....>..F...\C..G.......I...\...J....*..J.......J.......Sg..,...Uo..u...]...?J..]...n..._...#..._...y..._......./!..............y.......y.......y..........LQ...........`...\......uk.......H...............{...%.......D.......0..........+....T......v...!.......;........j.......c...5.............8Y..........&....$...<..............J..#.M.....(....Io.,....`..,.=..`O.,.t..`..-.......4......6'....3.6......D&z.....FU......G.....f.HY...[..HY...[..HY...\..J6......M.......Mb...]..PFE.....P.d...:.R.|..^..R....M..V}......V.......V.......V.......Z]3.....Z.z.....\.d../..\.....p.gc...aB.g.D...p.g.D.....v.......v.C..`....$..9............$..;...#M.......C..E....g......................H#...;...A...!......X..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-RS931.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):62066
                                                                                                                                                        Entropy (8bit):4.934441152389104
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:u9Ku9eAukifacU2IPTUL7J4DAIiYp7cu1JBPnmm/ACbPSYcaQs3sKgt9xdjbzgBg:qeAea72IPwO3/ACbBnsKg/xdjbzL/
                                                                                                                                                        MD5:2EE023974FB9B122C29C11DEE033323D
                                                                                                                                                        SHA1:26E0B6A676481DE095DF72BC3744BB7F6FC1D16F
                                                                                                                                                        SHA-256:BC137224351AAD3C7CC60F84CE0DBD6CBDE08DE53ABCF945ABDA559D32993B6C
                                                                                                                                                        SHA-512:0B3C8D6EA8D00B33368AD674238E0F4ACF3CC376877B00183F7348F451BBA72E18D0A0993A71E372B59AC96B88C600C74C2C47BF66E8CB38D9C5827AFE8E9266
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..^....A..^-...B..^....C..^....D.._....E.._....F..`....G..`C...H..`m...I..`........................E.../..B..../..G..../..r..../...C...;.......;.......;.......;.......;.."....;../G...;..=....;..E:...;..K....;..R....O..!....O.......O...........N...t......D@..^W..E....*..F...a...G....<..I...bX..J....:..J....,..J....d..Sg...2..Uo..|...]...B...]...u..._...%Q.._......._......./!...L.......$...y.......y.......y..........P............`..........|........................F...%.......D.......0..........-....T......v...#r......>a.......a.......z...5..........3..8Y...7......(a...$..................N..#.M...*.(....M..,....e..,.=..e..,.t..fb.-.....B.4......6'......6......D&z.....FU......G.......HY...a-.HY...aZ.HY...a..J6......M.....2.Mb...b..PFE.....P.d...x.R.|..dN.R....R..V}......V.......V.....}.V.......Z]3...u.Z.z.....\.d..2-.\.......gc...f..g.D...-.g.D...#.v.....?.v.C..f....$..<B...........$..>...#M.......C..J8...g...S...............y..H#.......A...x.........

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-S5R18.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):65057
                                                                                                                                                        Entropy (8bit):4.775392635465369
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:Y5R5IlU6sG7dqd6IT29UOtvUBRXdJhKOOSv80lXzzFvz2Vi8bWuSms3QZMqRdL6:2RBOBWOtsTNd8ylus
                                                                                                                                                        MD5:D1C59556DED29D5E268A7A956BCCEE14
                                                                                                                                                        SHA1:D08268DE103B3728C8A88A37B7B761F0AF85476B
                                                                                                                                                        SHA-256:CABAE88C6C4BFD1FEB475C7940ACB38E89201F8122BAEA7FAEDA08385A51FAC3
                                                                                                                                                        SHA-512:05CF84C8E45C193C2ABD236B8B47939D2A349A67D16AE845537DF93095071D430860036E8396F79585E78C59422A6AAC83FCFC45F26BFBDA2050604BA8C3E7AC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..c\...A..c....B..c....C..d....D..d_...E..e....F..er...G..e....H..e....I..e................3.......Y.../..F..../..K$.../..x=.../.......;.......;.......;.......;...!...;..#i...;..1K...;..A....;..IN...;..P-...;..Wm...O..#3...O...|...O...........b...t......D@..c...E....d..F...g...G....s..I...g...J....h..J.......J....Q..Sg..02..Uo......]...F...]...|1.._...'..._......._......./!...........Q...y.......y.......y...h......Uw.......C...`...B.......................q.......7...%.......D.......0..........0....T......v...$.......A........h...........5..........f..8Y.........*+...$.................S..#.M.....(....R[.,....j..,.=..k-.,.t..k..-.......4....o.6'....1.6....p.D&z...S.FU....I.G.......HY...f..HY...f..HY...f..J6......M.....u.Mb...g..PFE.....P.d...0.R.|..i..R....W6.V}......V.....R.V.......V.......Z]3.....Z.z.....\.d..4..\.......gc...l:.g.D...|.g.D...^.v.....m.v.C..kw...$..?............$..Bq..#M......C..N]...g...5..................H#.......A.........!d..

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\translations\is-SJ6S9.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:Qt Translation file
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):62891
                                                                                                                                                        Entropy (8bit):4.823364078120669
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:HM0kVXe1I/LCXU1ZBUH7uUF1kGCvs8eN/0S4Lhh7a9nKoJ+MVSLze:HKZgI/H1ZuCTh7g7
                                                                                                                                                        MD5:B2157DA8DD5BF92C15AA1F71791C9EFB
                                                                                                                                                        SHA1:BBD31B6B6A84ADA045C9525C35F14234D4768866
                                                                                                                                                        SHA-256:1059322DFFE9E89A3AC30DD6909BB557A7A4ED846964E4CBDC61B9CAD1C09ADC
                                                                                                                                                        SHA-512:C10538AF718448D2DA5E6DB8884C207FB71984A499FE61B3F9060F5F5CE282F9AF0A86F15FCC7D2CDBCCAC423796CF5B891D1D12E2AFAF520B5AC90E765AC3C4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<.d....!..`...B...(...B.......@..^N...A..^x...B..^....C..^....D.._Q...E..`....F..`d...G..`....H..`....I..`........................9.../..Cd.../..G..../..r'.../.......;.......;...%...;.......;...k...;.."....;../....;..>B...;..E....;..Lq...;..S1...O.."[...O.......O...........B...t.....D@..^...E.......F...a...G....5..I...b...J....T..J....Y..J.......Sg......Uo..}...]...C...]...u..._...&..._...._.._....5../!...............y.......y.......y..........Qc...........`..........}K.......~...................%.......D...0...0...g...........T......v...$.......?)...................5...^.........8Y...J......)!...$...:.......d......O..#.M.....(....Nk.,....e..,.=..f..,.t..f..-.......4....c.6'....i.6......D&z...A.FU......G.....h.HY...ax.HY...a..HY...a..J6......M.......Mb...b..PFE.....P.d.....R.|..d..R....S..V}....#.V.....N.V.......V.....].Z]3.....Z.z...&.\.d..2..\.......gc...g..g.D...$.g.D.....v.......v.C..fU...$..=............$..?...#M......C..J....g......................H#.......A...c..... ...

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\ucrtbase.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1168840
                                                                                                                                                        Entropy (8bit):6.796126828525289
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:tCjjeiNFnAp+O+R2l2WDPc/9qHrX0cJ/gAp0ei5mcvIZPoy4aVvFjDp:4jyuRR2l2WD6I/bp0erVL
                                                                                                                                                        MD5:2040CDCD779BBEBAD36D36035C675D99
                                                                                                                                                        SHA1:918BC19F55E656F6D6B1E4713604483EB997EA15
                                                                                                                                                        SHA-256:2AD9A105A9CAA24F41E7B1A6F303C07E6FAECEAF3AAF43EBD644D9D5746A4359
                                                                                                                                                        SHA-512:83DC3C7E35F0F83E1224505D04CDBAEE12B7EA37A2C3367CB4FCCC4FFF3E5923CF8A79DD513C33A667D8231B1CC6CFB1E33F957D92E195892060A22F53C7532F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>2._\.._\.._\..'.._\.._].)_\..7..._\..7\.._\..7_.._\..7Y.._\..7R..]\..7X.._\..7..._\..7^.._\.Rich._\.................PE..L.....t...........!......................................................................@A................................p........0...................!...@..T...P...T...........................p...@...............l............................text...p........................... ..`.data...$...........................@....idata..............................@..@.rsrc........0......................@..@.reloc..T....@......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\unins000.dat

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:InnoSetup Log Icecream PDF Editor 3 {015AF6C3-CE60-4307-88EF-3D59C8B515FE}, version 0x418, 22262 bytes, 715575\37\user\376\, C:\Program Files (x86)\Icecream PDF Editor
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):22262
                                                                                                                                                        Entropy (8bit):3.5817112768615096
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:/lS+3bP4DSmi6xESr8u5nd1S7Cq9zfrnFz8m9MHR:/ld3bPIpxndBqHD9MHR
                                                                                                                                                        MD5:DE7A226ED6F59BB845C91CFBFE29C2CF
                                                                                                                                                        SHA1:F37EBD9988ED445C1027D6E2ACE292234A0BCCB9
                                                                                                                                                        SHA-256:99CE5DD4E9225CCAEAD0AEAC1D2769F0496C317A95599D679AC1A951D89F726F
                                                                                                                                                        SHA-512:DBD73B6DC90F76A8C3D20E3C5D41535D9A2B7033434263FA1D0679715C14A5BDDA71F9030068816FAEFE1BC01A525E317D36C8E2FF29E5152A51E2988EDFBF27
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:Inno Setup Uninstall Log (b)....................................{015AF6C3-CE60-4307-88EF-3D59C8B515FE}..........................................................................................Icecream PDF Editor 3...............................................................................................................w....V..%..................................................................................................................b...........................7.1.5.5.7.5......c.a.l.i......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.c.e.c.r.e.a.m. .P.D.F. .E.d.i.t.o.r. .3................3.".... .....d........IFPS....................................................................................................................................................................BOOLEAN..............TEXECWAIT.....X...........!MAIN....-1.Y...........DEINITIALIZEUNINSTALL....-1..SHELLEXEC.............a...........INITIALIZEUNINSTALLPROGRESSFORM....-1......................`........

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\unins000.exe (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1309248
                                                                                                                                                        Entropy (8bit):6.527529456231143
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:8tdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5xax0vTx96e7C:kqTytRFk6ek1x3O
                                                                                                                                                        MD5:4BE9718959029220FC534542CB891006
                                                                                                                                                        SHA1:B205217CEAC2E6F583B250EBC55106001F59EB87
                                                                                                                                                        SHA-256:DB8B0C53B3CF466F055325513273671773A138BCAE59B84E4C78DC7DEE393452
                                                                                                                                                        SHA-512:B21A946BC700988773BE610787B4C4D26F994369742D0293AC74457CFEEE727D7B8F7B7101C8A36C62488B32A1E4D0F85349F8F16A74100D530BE8534FF5658B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................6.....@......@..............................@8...0...\..............@0................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc....\...0...^...l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\unins000.msg

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:InnoSetup messages, version 5.5.3, 221 messages (UTF-16), &About Setup...
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):22709
                                                                                                                                                        Entropy (8bit):3.2704486925356004
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:Q41EjXgkg3Sqf8sfr69FT0AKanzLYfMa1tzvL7Vzo+Fc51USQDztXfbKJUfvo:Q41Elvqf9r6fKVfMmRo+y1USQDztP3o
                                                                                                                                                        MD5:79173DA528082489A43F39CF200A7647
                                                                                                                                                        SHA1:AA253B477CE2BF9D886D07694CD5DDB7C7FE9EEC
                                                                                                                                                        SHA-256:4F36E6BE09CD12E825C2A12AB33544744E7256C9094D7149258EA926705E8FFD
                                                                                                                                                        SHA-512:C46EB9DD3D03A993FDC4F65AE2751ECFDCB1FB6E1FB69A119105FD40290CE5EC4427B04F813EED47415390689943D05B5432D4571B1ACA0CE37EE52391790D18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:Inno Setup Messages (5.5.3) (u).....................................hX..........&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s... .A.f.

                                                                                                                                                        C:\Program Files (x86)\Icecream PDF Editor 3\vcruntime140.dll (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):76152
                                                                                                                                                        Entropy (8bit):6.779355547596994
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:igTqURG2vo0RwvI7sjBH+cOKXc36r23vEecbiOkNAPy:idURhvZ6vIQVrPysecbiOkKy
                                                                                                                                                        MD5:9E532403774906F0D1E3179D8840674D
                                                                                                                                                        SHA1:DAC4A653D468F873D5F5533E0C91C93FE5BE1E5B
                                                                                                                                                        SHA-256:E30380FB3301B114F4DD4D09A83C8F2B1C0D6885412065F0D163B0FB342D86C0
                                                                                                                                                        SHA-512:9DED622AD9101EBBD7C4447B11FB1AAFA4DDA47BEE76585A6090B2D756D721AD59CF8B6B3D1B40945FDFA27C9C409283BAA5A0D435B1F351AE4BE9675B577706
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ix..-...-...-....|./...$a..&...-.......h..>...h..8...h..1...h..,...hl.,...h..,...Rich-...................PE..L....m_.........."!.........................................................@............@A......................................... ..................x#...0..x....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Icecream PDF Editor 3.lnk

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 24 11:51:34 2024, mtime=Thu Oct 24 11:51:38 2024, atime=Fri Sep 20 15:00:22 2024, length=4369472, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1203
                                                                                                                                                        Entropy (8bit):4.612728303425852
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24:8mzc2+dEydOEoElKZK/KWR+AyNMdalKZ3DdalKZIUUMPqygm:8mzc2+aydONZK//sMd9Zzd9Zdgyg
                                                                                                                                                        MD5:8F310678D0E7B6270887616510B88286
                                                                                                                                                        SHA1:A3C7D053E80AAFC2759C061AEF7B9FD1E6F19E84
                                                                                                                                                        SHA-256:C517A808CE6801EBEC4E9CF5B1FDAD9599343D9A23A22F1FB7104FB06696AC54
                                                                                                                                                        SHA-512:DE5D76D6DBA4ED451ACF13B1BE85FC34148111ECFB2B3EE1F81470AB64967DCB7C3BA8936694E12D6AA7ED8832C13DF5312AE177AAF9399E8A58D57035CAF9D7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:L..................F.... ...W|.t.&..J.>w.&...o.2v...@.B..........................P.O. .:i.....+00.../C:\.....................1.....XYrf..PROGRA~2.........O.IXYrf....................V.....q...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....t.1.....XYuf..ICECRE~1..\......XYrfXYuf.............................I.c.e.c.r.e.a.m. .P.D.F. .E.d.i.t.o.r. .3.....n.2.@.B.4Y.. .ICEPDF~1.EXE..R......XYrfXYtf....7.........................i.c.e.p.d.f.e.d.i.t.o.r...e.x.e.......l...............-.......k.............m......C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe..I.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.c.e.c.r.e.a.m. .P.D.F. .E.d.i.t.o.r. .3.\.i.c.e.p.d.f.e.d.i.t.o.r...e.x.e.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.c.e.c.r.e.a.m. .P.D.F. .E.d.i.t.o.r. .3.........*................@Z|...K.J.........`.......X.......715575...........hT..CrF.f4... ...............%..hT..CrF.f4... ...............%............

                                                                                                                                                        C:\Users\Public\Desktop\Icecream PDF Editor 3.lnk

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 24 11:51:34 2024, mtime=Thu Oct 24 11:51:40 2024, atime=Fri Sep 20 15:00:22 2024, length=4369472, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1191
                                                                                                                                                        Entropy (8bit):4.618762585843705
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24:8muc2+dEydOEo7lKZK/KWR+AyNzR0dalKZ3DdalKZIUUMPqygm:8muc2+aydOOZK//szR0d9Zzd9Zdgyg
                                                                                                                                                        MD5:F51F6524950D1076DEA1225939949361
                                                                                                                                                        SHA1:5B5771FE8C6F32529462C6DFA63497CDC75ECC9C
                                                                                                                                                        SHA-256:FE2D4866A601CB076800E61DD4FA74F48F0CD29080B0EF061A6CC338E1532E20
                                                                                                                                                        SHA-512:3BDDAD17A88441E4CFB7312E45201A7D1DBCDC35FD7C87722C05E0CEB59894752DD902FB158E5CB921D18B231473CD14D353F56EF2AB0A35DE43D78C13AFB450
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:L..................F.... ...W|.t.&..$..x.&...o.2v...@.B..........................P.O. .:i.....+00.../C:\.....................1.....XYrf..PROGRA~2.........O.IXYrf....................V.....q...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....t.1.....XYuf..ICECRE~1..\......XYrfXYuf..........................1..I.c.e.c.r.e.a.m. .P.D.F. .E.d.i.t.o.r. .3.....n.2.@.B.4Y.. .ICEPDF~1.EXE..R......XYrfXYtf....7.........................i.c.e.p.d.f.e.d.i.t.o.r...e.x.e.......l...............-.......k.............m......C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe..C.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.c.e.c.r.e.a.m. .P.D.F. .E.d.i.t.o.r. .3.\.i.c.e.p.d.f.e.d.i.t.o.r...e.x.e.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.c.e.c.r.e.a.m. .P.D.F. .E.d.i.t.o.r. .3.........*................@Z|...K.J.........`.......X.......715575...........hT..CrF.f4... ...............%..hT..CrF.f4... ...............%.............1SPS.XF.L8

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1309248
                                                                                                                                                        Entropy (8bit):6.527529456231143
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:8tdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5xax0vTx96e7C:kqTytRFk6ek1x3O
                                                                                                                                                        MD5:4BE9718959029220FC534542CB891006
                                                                                                                                                        SHA1:B205217CEAC2E6F583B250EBC55106001F59EB87
                                                                                                                                                        SHA-256:DB8B0C53B3CF466F055325513273671773A138BCAE59B84E4C78DC7DEE393452
                                                                                                                                                        SHA-512:B21A946BC700988773BE610787B4C4D26F994369742D0293AC74457CFEEE727D7B8F7B7101C8A36C62488B32A1E4D0F85349F8F16A74100D530BE8534FF5658B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................6.....@......@..............................@8...0...\..............@0................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc....\...0...^...l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1309248
                                                                                                                                                        Entropy (8bit):6.527529456231143
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:8tdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5xax0vTx96e7C:kqTytRFk6ek1x3O
                                                                                                                                                        MD5:4BE9718959029220FC534542CB891006
                                                                                                                                                        SHA1:B205217CEAC2E6F583B250EBC55106001F59EB87
                                                                                                                                                        SHA-256:DB8B0C53B3CF466F055325513273671773A138BCAE59B84E4C78DC7DEE393452
                                                                                                                                                        SHA-512:B21A946BC700988773BE610787B4C4D26F994369742D0293AC74457CFEEE727D7B8F7B7101C8A36C62488B32A1E4D0F85349F8F16A74100D530BE8534FF5658B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................6.....@......@..............................@8...0...\..............@0................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc....\...0...^...l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-UP5T5.tmp\_isetup\_setup64.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6144
                                                                                                                                                        Entropy (8bit):4.720366600008286
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Entropy (8bit):7.999990504649236
                                                                                                                                                        TrID:
                                                                                                                                                        • ZIP compressed archive (8000/1) 99.91%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
                                                                                                                                                        File name:Archive.zip
                                                                                                                                                        File size:25'201'421 bytes
                                                                                                                                                        MD5:c60cd0df4975d745722d1776d5be95b5
                                                                                                                                                        SHA1:f8e2eb05478108eae1f8fa28f70ebb64163d032d
                                                                                                                                                        SHA256:f1ed181ee30a70c0f71aacf7c592be0e6589421bc479e379109c4c3f572bb663
                                                                                                                                                        SHA512:0acf58368d7ff611f3bb2b5db33066c561f8de5ac16ba5dec55cad9c6e4943e2a16cea024a2ef7242ad11321eafac6153a25d00cd463185a179cb7c498c6d968
                                                                                                                                                        SSDEEP:393216:Y9boqdq36HOHLqoqV8faabXapOCTQYDXBvNlj5lCETsU6CFzdJmHIBs4m0/TLwW:Kbldq3SDqfaawOpCXFjlsU5Rn0fWTLwW
                                                                                                                                                        TLSH:134733BF8A1F959977E3CE8B12B464FA0DC188CDDE84D00A781ACF56BD4ACA054C3567
                                                                                                                                                        File Content Preview:PK.........tXY............>. .MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zipUT....@.g.@.g.@.gux...............@..PK.........dXY.[..U...@.B...$.icepdfeditor.exe.. .........`\...&..`\...&..T\...&..........>.t.\=..e.^...j...*..cl.H.9..3?.....

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:1c1c1e4e4ececedc

                                                                                                                                                        Network Behavior

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 24, 2024 14:51:42.860765934 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:42.860811949 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:42.860863924 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:42.862005949 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:42.862020969 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:43.702085972 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:43.702557087 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:43.702589035 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:43.703639030 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:43.703697920 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:43.712816000 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:43.712887049 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:43.714585066 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:43.714601040 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:43.757283926 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.054569960 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.054630041 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.054650068 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.054686069 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.054689884 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.054711103 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.054721117 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.054738045 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.054742098 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.054763079 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.054784060 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.075782061 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.075834036 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.075865030 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.075885057 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.075896025 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.075922012 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.088119030 CEST49708443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.088155031 CEST4434970892.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.088341951 CEST49708443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.088656902 CEST49708443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.088669062 CEST4434970892.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.092206955 CEST49709443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.092252970 CEST4434970992.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.092317104 CEST49709443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.092793941 CEST49710443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.092844009 CEST4434971037.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.092900038 CEST49710443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.093025923 CEST49711443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.093056917 CEST4434971137.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.093159914 CEST49711443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.093349934 CEST49712443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.093368053 CEST4434971237.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.093436003 CEST49712443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.093540907 CEST49709443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.093559980 CEST4434970992.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.093869925 CEST49710443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.093887091 CEST4434971037.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.093916893 CEST49711443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.093934059 CEST4434971137.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.094043970 CEST49712443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.094058037 CEST4434971237.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.171852112 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.171897888 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.171932936 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.171950102 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.171974897 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.171994925 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.172009945 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.172127962 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.172132969 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.172162056 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.175327063 CEST49714443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.175357103 CEST4434971492.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.175493956 CEST49714443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.175791025 CEST49714443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.175800085 CEST4434971492.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.379360914 CEST4434970437.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.379426956 CEST49704443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.880260944 CEST49711443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.880305052 CEST49710443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.880395889 CEST49712443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.880420923 CEST49708443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.880481958 CEST49709443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.880549908 CEST49714443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.923333883 CEST4434971037.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.923333883 CEST4434971492.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.923341036 CEST4434970992.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.923350096 CEST4434970892.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.923371077 CEST4434971237.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.923404932 CEST4434971137.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.928594112 CEST4434970892.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.928658962 CEST49708443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.935626984 CEST4434971137.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.935762882 CEST4434971137.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.935760021 CEST49711443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.935827017 CEST49711443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.936832905 CEST4434971237.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.936897993 CEST49712443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:44.938517094 CEST4434970992.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.938601971 CEST49709443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:44.943569899 CEST4434971037.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.943654060 CEST49710443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:45.037364006 CEST4434971492.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:45.037466049 CEST49714443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:51:59.898576975 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:59.898583889 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:59.898659945 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:59.900716066 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:51:59.900728941 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:00.741010904 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:00.741648912 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:00.741683006 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:00.742782116 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:00.742892027 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:00.744066000 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:00.744163036 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:00.744201899 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:00.787369967 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:00.787420988 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:00.787432909 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:00.835489988 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.107150078 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.107168913 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.107176065 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.107206106 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.107220888 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.107229948 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.107280970 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.107281923 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.107310057 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.107388020 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.109291077 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.109299898 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.109330893 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.109421968 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.109445095 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.109458923 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.109570980 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.151972055 CEST49723443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:52:01.152003050 CEST4434972392.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.152183056 CEST49723443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:52:01.152374983 CEST49723443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:52:01.152386904 CEST4434972392.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.224953890 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.224977016 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.225070953 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.225083113 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.225145102 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.227168083 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.227186918 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.227264881 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.227264881 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.227277994 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.227324963 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.229020119 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.229036093 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.229135990 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.229149103 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.229204893 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.275053024 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.275111914 CEST4434971737.58.52.149192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.275183916 CEST49717443192.168.2.1637.58.52.149
                                                                                                                                                        Oct 24, 2024 14:52:01.351259947 CEST49723443192.168.2.1692.223.124.62
                                                                                                                                                        Oct 24, 2024 14:52:01.391338110 CEST4434972392.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:02.000751972 CEST4434972392.223.124.62192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:02.000838041 CEST49723443192.168.2.1692.223.124.62

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 24, 2024 14:51:42.821644068 CEST53540251.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:42.845629930 CEST5424453192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:51:42.845782995 CEST6503253192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:51:42.853677988 CEST53542441.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:42.854867935 CEST53650321.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:42.940722942 CEST53510801.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.068886995 CEST5029353192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:51:44.069338083 CEST6139653192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:51:44.083739042 CEST53502931.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.087280989 CEST53613961.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:44.169564009 CEST53591461.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:59.886737108 CEST5668953192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:51:59.886863947 CEST6297353192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:51:59.894476891 CEST53608151.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:59.894532919 CEST53566891.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:59.895747900 CEST53629731.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:51:59.902645111 CEST53532931.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.118271112 CEST5930253192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:52:01.118375063 CEST5611653192.168.2.161.1.1.1
                                                                                                                                                        Oct 24, 2024 14:52:01.125689983 CEST53564831.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.132137060 CEST53620381.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.144998074 CEST53593021.1.1.1192.168.2.16
                                                                                                                                                        Oct 24, 2024 14:52:01.162055016 CEST53561161.1.1.1192.168.2.16

                                                                                                                                                        ICMP Packets

                                                                                                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                        Oct 24, 2024 14:52:01.162142038 CEST192.168.2.161.1.1.1c27c(Port unreachable)Destination Unreachable

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                        Oct 24, 2024 14:51:42.845629930 CEST192.168.2.161.1.1.10x1c5fStandard query (0)icecreamapps.comA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:42.845782995 CEST192.168.2.161.1.1.10xe3e3Standard query (0)icecreamapps.com65IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:44.068886995 CEST192.168.2.161.1.1.10x81c3Standard query (0)static.icecreamapps.comA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:44.069338083 CEST192.168.2.161.1.1.10x44f2Standard query (0)static.icecreamapps.com65IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:59.886737108 CEST192.168.2.161.1.1.10xaaa6Standard query (0)icecreamapps.comA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:59.886863947 CEST192.168.2.161.1.1.10x585dStandard query (0)icecreamapps.com65IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:52:01.118271112 CEST192.168.2.161.1.1.10x34faStandard query (0)static.icecreamapps.comA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:52:01.118375063 CEST192.168.2.161.1.1.10x7bdStandard query (0)static.icecreamapps.com65IN (0x0001)false

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                        Oct 24, 2024 14:51:42.853677988 CEST1.1.1.1192.168.2.160x1c5fNo error (0)icecreamapps.com37.58.52.149A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:44.083739042 CEST1.1.1.1192.168.2.160x81c3No error (0)static.icecreamapps.comdi-3ihyifb9.vo.lswcdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:44.083739042 CEST1.1.1.1192.168.2.160x81c3No error (0)di-3ihyifb9.vo.lswcdn.netcl-2d703670.gcdn.coCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:44.083739042 CEST1.1.1.1192.168.2.160x81c3No error (0)cl-2d703670.gcdn.co92.223.124.62A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:44.087280989 CEST1.1.1.1192.168.2.160x44f2No error (0)static.icecreamapps.comdi-3ihyifb9.vo.lswcdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:44.087280989 CEST1.1.1.1192.168.2.160x44f2No error (0)di-3ihyifb9.vo.lswcdn.netcl-2d703670.gcdn.coCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:51:59.894532919 CEST1.1.1.1192.168.2.160xaaa6No error (0)icecreamapps.com37.58.52.149A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:52:01.144998074 CEST1.1.1.1192.168.2.160x34faNo error (0)static.icecreamapps.comdi-3ihyifb9.vo.lswcdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:52:01.144998074 CEST1.1.1.1192.168.2.160x34faNo error (0)di-3ihyifb9.vo.lswcdn.netcl-2d703670.gcdn.coCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:52:01.144998074 CEST1.1.1.1192.168.2.160x34faNo error (0)cl-2d703670.gcdn.co92.223.124.62A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:52:01.162055016 CEST1.1.1.1192.168.2.160x7bdNo error (0)static.icecreamapps.comdi-3ihyifb9.vo.lswcdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 24, 2024 14:52:01.162055016 CEST1.1.1.1192.168.2.160x7bdNo error (0)di-3ihyifb9.vo.lswcdn.netcl-2d703670.gcdn.coCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • icecreamapps.com

                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        0192.168.2.164970437.58.52.1494436184C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-24 12:51:43 UTC690OUTGET /PDF-Editor/thankyou.html?v=3.27 HTTP/1.1
                                                                                                                                                        Host: icecreamapps.com
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                        sec-ch-ua-mobile: ?0
                                                                                                                                                        sec-ch-ua-platform: "Windows"
                                                                                                                                                        Upgrade-Insecure-Requests: 1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                                                        Sec-Fetch-Site: none
                                                                                                                                                        Sec-Fetch-Mode: navigate
                                                                                                                                                        Sec-Fetch-User: ?1
                                                                                                                                                        Sec-Fetch-Dest: document
                                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                                        2024-10-24 12:51:44 UTC532INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Thu, 24 Oct 2024 12:51:43 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=obenh6rdgeir73j0qndgfbkqnl; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        Set-Cookie: ic_d=671a42dfcaa3b8.16240271; expires=Sat, 24-Oct-2026 12:51:43 GMT; Max-Age=63072000; path=/; domain=icecreamapps.com
                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                        2024-10-24 12:51:44 UTC15852INData Raw: 31 64 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 49 63 65 63 72 65 61 6d 20 50 44 46 20 45 64 69 74 6f 72 20 69 6e 73 74 61 6c 6c 65 64 21 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 69 63 65
                                                                                                                                                        Data Ascii: 1d09<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title>Icecream PDF Editor installed!</title> <meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1"> <link rel="preconnect" href="https://static.ice
                                                                                                                                                        2024-10-24 12:51:44 UTC16384INData Raw: 61 6e 67 5f 77 72 61 70 22 29 2e 66 6f 72 45 61 63 68 28 65 3d 3e 7b 6c 65 74 20 6f 3d 65 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 2e 70 6f 70 75 70 2d 63 6f 6e 74 65 6e 74 22 29 3b 6e 3d 6e 7c 7c 65 2e 63 6f 6e 74 61 69 6e 73 28 74 2e 74 61 72 67 65 74 29 7c 7c 6f 2e 63 6f 6e 74 61 69 6e 73 28 74 2e 74 61 72 67 65 74 29 7d 29 2c 21 6e 29 7b 6c 65 74 20 65 3d 6f 28 22 2e 6c 61 6e 67 5f 77 72 61 70 20 2e 70 6f 70 75 70 2d 63 6f 6e 74 65 6e 74 22 29 3b 65 26 26 65 2e 63 6c 61 73 73 4c 69 73 74 2e 63 6f 6e 74 61 69 6e 73 28 22 64 2d 66 6c 65 78 22 29 26 26 74 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 7d 6e 7c 7c 4d 28 29 2c 6f 28 22 2e 73 65 6c 65 63 74 5f 62 74 6e 22 29 26 26 28 6f 28 22 2e 73 65 6c 65 63 74 5f 62 74 6e 22 29 2e 63 6f 6e 74
                                                                                                                                                        Data Ascii: ang_wrap").forEach(e=>{let o=e.querySelector(".popup-content");n=n||e.contains(t.target)||o.contains(t.target)}),!n){let e=o(".lang_wrap .popup-content");e&&e.classList.contains("d-flex")&&t.preventDefault()}n||M(),o(".select_btn")&&(o(".select_btn").cont
                                                                                                                                                        2024-10-24 12:51:44 UTC16384INData Raw: 20 20 20 20 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 67 5f 6f 76 65 72 6c 61 79 22 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 21 2d 2d 20 3c 69 6d 67 20 73 72 63 3d 22 2f 77 77 77 2f 69 6d 61 67 65 73 2f 63 6f 6e 74 65 6e 74 2f 74 68 61 6e 6b 79 6f 75 5f 65 64 69 74 6f 72 5f 62 67 2e 73 76 67 22 20 63 6c 61 73 73 3d 22 62 67 22 20 61 6c 74 3d 22 22 3e 20 2d 2d 3e 0a 3c 2f 61 3e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 63 65 5f 62 67 5f 77 72 61 70 20 6e 6f 73 65 6c 65 63 74 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                                                                                                                                        Data Ascii: </button> </div> <div class="bg_overlay"> </div> ... <img src="/www/images/content/thankyou_editor_bg.svg" class="bg" alt=""> --></a> </div> <div class="ice_bg_wrap noselect"> <div class="
                                                                                                                                                        2024-10-24 12:51:44 UTC1160INData Raw: 72 73 68 69 70 2e 68 74 6d 6c 22 20 63 6c 61 73 73 3d 22 6d 62 2d 34 20 6d 61 69 6e 2d 66 6f 6f 74 65 72 2d 6c 69 6e 6b 22 3e 50 61 72 74 6e 65 72 73 68 69 70 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 66 6f 6f 74 65 72 5f 5f 73 65 63 74 69 6f 6e 2d 68 22 3e 48 65 6c 70 20 43 65 6e 74 65 72 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 2d 66 6c 65 78 20 66 6c 65 78 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 6c 65 61 72 6e 2f 22 20 63 6c 61 73 73 3d 22 6d 62 2d 34 20 6d 61 69 6e 2d 66 6f 6f 74 65 72
                                                                                                                                                        Data Ascii: rship.html" class="mb-4 main-footer-link">Partnership</a> </div> </div> <div class="column"> <div class="main-footer__section-h">Help Center</div> <div class="d-flex flex-column"> <a href="/learn/" class="mb-4 main-footer


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        1192.168.2.164971737.58.52.1494435144C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-24 12:52:00 UTC697OUTGET / HTTP/1.1
                                                                                                                                                        Host: icecreamapps.com
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                        sec-ch-ua-mobile: ?0
                                                                                                                                                        sec-ch-ua-platform: "Windows"
                                                                                                                                                        Upgrade-Insecure-Requests: 1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                                                        Sec-Fetch-Site: none
                                                                                                                                                        Sec-Fetch-Mode: navigate
                                                                                                                                                        Sec-Fetch-User: ?1
                                                                                                                                                        Sec-Fetch-Dest: document
                                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                                        Cookie: ic_d=671a42dfcaa3b8.16240271
                                                                                                                                                        2024-10-24 12:52:01 UTC400INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Thu, 24 Oct 2024 12:52:00 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=1q1lqcentjta57t37efgq4mo8i; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                        2024-10-24 12:52:01 UTC15984INData Raw: 31 64 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 44 46 20 45 64 69 74 6f 72 2c 20 53 63 72 65 65 6e 20 52 65 63 6f 72 64 65 72 20 2b 20 38 20 43 6f 6f 6c 20 53 6f 66 74 77 61 72 65 20 7c 20 49 63 65 63 72 65 61 6d 20 41 70 70 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f
                                                                                                                                                        Data Ascii: 1da8<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title>PDF Editor, Screen Recorder + 8 Cool Software | Icecream Apps</title> <meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1"> <link rel="preco
                                                                                                                                                        2024-10-24 12:52:01 UTC16384INData Raw: 6f 6e 74 61 69 6e 73 28 22 64 2d 66 6c 65 78 22 29 3f 74 2e 63 6f 6e 74 61 69 6e 73 28 65 2e 74 61 72 67 65 74 29 7c 7c 4d 28 29 3a 28 4d 28 29 2c 6e 2e 66 6f 72 45 61 63 68 28 65 3d 3e 65 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 22 72 6f 74 61 74 65 22 29 29 2c 74 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 22 64 2d 66 6c 65 78 22 29 29 29 7d 29 7d 29 2c 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 74 3d 3e 7b 6c 65 74 20 6e 3d 21 31 3b 69 66 28 65 2e 66 6f 72 45 61 63 68 28 65 3d 3e 7b 6c 65 74 20 6f 3d 65 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 2e 70 6f 70 75 70 2d 63 6f 6e 74 65 6e 74 22 29 3b 6e 3d 6e 7c 7c 65 2e 63 6f 6e 74 61 69 6e 73 28 74 2e 74 61 72 67 65 74 29 7c 7c 6f 2e 63
                                                                                                                                                        Data Ascii: ontains("d-flex")?t.contains(e.target)||M():(M(),n.forEach(e=>e.classList.add("rotate")),t.classList.add("d-flex")))})}),document.addEventListener("click",t=>{let n=!1;if(e.forEach(e=>{let o=e.querySelector(".popup-content");n=n||e.contains(t.target)||o.c
                                                                                                                                                        2024-10-24 12:52:01 UTC16384INData Raw: 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 62 6f 64 79 20 2e 6d 61 69 6e 5f 77 72 61 70 70 65 72 7b 66 6c 65 78 3a 31 7d 2a 2c 3a 61 66 74 65 72 2c 3a 62 65 66 6f 72 65 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 69 6e 68 65 72 69 74 7d 66 6f 6f 74 65 72 2c 73 65 63 74 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 7d 61 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 7d 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 69 6e 70 75 74 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72
                                                                                                                                                        Data Ascii: ex-direction:column}body .main_wrapper{flex:1}*,:after,:before{box-sizing:inherit}footer,section{display:block}body{margin:0}a{background:transparent;text-decoration:none}button,input{line-height:normal}button::-moz-focus-inner,input::-moz-focus-inner{bor
                                                                                                                                                        2024-10-24 12:52:01 UTC16384INData Raw: 30 20 32 70 78 20 32 30 70 78 20 37 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 2c 30 20 31 32 70 78 20 33 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 30 38 29 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 34 34 30 70 78 29 7b 2e 61 70 70 73 2d 63 61 72 64 7b 66 6c 65 78 2d 62 61 73 69 73 3a 63 61 6c 63 28 33 33 25 20 2d 20 31 38 70 78 29 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 32 37 39 70 78 29 7b 2e 61 70 70 73 2d 63 61 72 64 7b 66 6c 65 78 2d 62 61 73 69 73 3a 63 61 6c 63 28 33 33 25 20 2d 20 31 39 70 78 29 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 30 70 78 29 7b 2e 61 70 70 73 2d 63 61 72 64 7b 66 6c 65 78 2d 62 61 73 69 73 3a 63 61 6c 63 28 35 30 25 20 2d 20 31 36 70 78 29 7d
                                                                                                                                                        Data Ascii: 0 2px 20px 7px rgba(0,0,0,.1),0 12px 32px rgba(0,0,0,.08)}@media (max-width:1440px){.apps-card{flex-basis:calc(33% - 18px)}}@media (max-width:1279px){.apps-card{flex-basis:calc(33% - 19px)}}@media (max-width:1000px){.apps-card{flex-basis:calc(50% - 16px)}
                                                                                                                                                        2024-10-24 12:52:01 UTC16384INData Raw: 78 3b 74 6f 70 3a 2d 32 30 31 70 78 7d 7d 2e 63 69 72 63 6c 65 73 5f 77 72 61 70 2e 62 61 6e 6e 65 72 20 64 69 76 2e 63 69 72 63 6c 65 2d 62 67 3a 66 69 72 73 74 2d 63 68 69 6c 64 7b 77 69 64 74 68 3a 33 36 30 70 78 3b 68 65 69 67 68 74 3a 33 36 30 70 78 3b 62 6f 74 74 6f 6d 3a 2d 32 34 30 70 78 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 36 30 30 70 78 29 7b 2e 63 69 72 63 6c 65 73 5f 77 72 61 70 2e 62 61 6e 6e 65 72 20 64 69 76 2e 63 69 72 63 6c 65 2d 62 67 3a 66 69 72 73 74 2d 63 68 69 6c 64 7b 77 69 64 74 68 3a 31 38 30 70 78 3b 68 65 69 67 68 74 3a 31 38 30 70 78 3b 62 6f 74 74 6f 6d 3a 2d 36 36 70 78 7d 7d 64 69 76 2e 63 69 72 63 6c 65 2d 62 67 3a 6e 74 68 2d 63 68 69 6c 64 28 32 29 7b 77 69 64 74 68 3a 39 32 35 70 78 3b 68 65 69 67 68
                                                                                                                                                        Data Ascii: x;top:-201px}}.circles_wrap.banner div.circle-bg:first-child{width:360px;height:360px;bottom:-240px}@media (max-width:600px){.circles_wrap.banner div.circle-bg:first-child{width:180px;height:180px;bottom:-66px}}div.circle-bg:nth-child(2){width:925px;heigh


                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:1
                                                                                                                                                        Start time:08:51:11
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                        Imagebase:0x7ff6d6cc0000
                                                                                                                                                        File size:71'680 bytes
                                                                                                                                                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:9
                                                                                                                                                        Start time:08:51:21
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:22'740'344 bytes
                                                                                                                                                        MD5 hash:427D86902D064DCBDE0EB4F2D7FD601A
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:10
                                                                                                                                                        Start time:08:51:22
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-BA69I.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$601F8,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:1'309'248 bytes
                                                                                                                                                        MD5 hash:4BE9718959029220FC534542CB891006
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:13
                                                                                                                                                        Start time:08:51:23
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$602C2 /NOTIFYWND=$601F8
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:22'740'344 bytes
                                                                                                                                                        MD5 hash:427D86902D064DCBDE0EB4F2D7FD601A
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:14
                                                                                                                                                        Start time:08:51:23
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-7K9QH.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$70300,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$602C2 /NOTIFYWND=$601F8
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:1'309'248 bytes
                                                                                                                                                        MD5 hash:4BE9718959029220FC534542CB891006
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:16
                                                                                                                                                        Start time:08:51:40
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27
                                                                                                                                                        Imagebase:0x7ff7f9810000
                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:17
                                                                                                                                                        Start time:08:51:41
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1952,i,74056811706744733,4401257274020997871,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                        Imagebase:0x7ff7f9810000
                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:18
                                                                                                                                                        Start time:08:51:48
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:939'520 bytes
                                                                                                                                                        MD5 hash:8E8EB38C6438BAA41A5867B6F465926F
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:20
                                                                                                                                                        Start time:08:51:48
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:939'520 bytes
                                                                                                                                                        MD5 hash:8E8EB38C6438BAA41A5867B6F465926F
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:22
                                                                                                                                                        Start time:08:51:58
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/
                                                                                                                                                        Imagebase:0x7ff7f9810000
                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:23
                                                                                                                                                        Start time:08:51:58
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,7196489178614102710,14503791149393765188,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                        Imagebase:0x7ff7f9810000
                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:26
                                                                                                                                                        Start time:08:53:05
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:939'520 bytes
                                                                                                                                                        MD5 hash:8E8EB38C6438BAA41A5867B6F465926F
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:28
                                                                                                                                                        Start time:08:53:06
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:939'520 bytes
                                                                                                                                                        MD5 hash:8E8EB38C6438BAA41A5867B6F465926F
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:29
                                                                                                                                                        Start time:08:53:10
                                                                                                                                                        Start date:24/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe"
                                                                                                                                                        Imagebase:0x450000
                                                                                                                                                        File size:4'369'472 bytes
                                                                                                                                                        MD5 hash:6700C9E3B5ADB8292F5FF09D1C38C920
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        Disassembly

                                                                                                                                                        Reset < >

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:3.4%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:10.6%
                                                                                                                                                          Total number of Nodes:566
                                                                                                                                                          Total number of Limit Nodes:41
                                                                                                                                                          execution_graph 15652 41b900 15653 41b93a 15652->15653 15654 41b911 15652->15654 15654->15653 15657 41cd04 15654->15657 15661 403d0c 15654->15661 15658 41cd0e 15657->15658 15659 41cd22 15658->15659 15667 41cc90 15658->15667 15659->15654 15662 403d36 15661->15662 15663 403d6a CompareStringA 15662->15663 15664 403d8a 15663->15664 15665 404d38 12 API calls 15664->15665 15666 403d92 15665->15666 15666->15654 15674 406f48 15667->15674 15669 41ccb3 15680 41cc58 15669->15680 15675 406f8a 15674->15675 15676 406f59 15674->15676 15675->15669 15676->15675 15684 406438 15676->15684 15681 41cc66 15680->15681 15802 40daa0 15681->15802 15683 41cc85 15683->15683 15685 40645d LoadStringA 15684->15685 15686 406447 15684->15686 15688 404e28 15685->15688 15686->15685 15693 4063f0 15686->15693 15736 404dfc 15688->15736 15690 404e38 15741 404d38 15690->15741 15694 406400 GetModuleFileNameA 15693->15694 15695 40641c 15693->15695 15697 406654 GetModuleFileNameA RegOpenKeyExA 15694->15697 15695->15685 15698 4066d7 15697->15698 15699 406697 RegOpenKeyExA 15697->15699 15715 406490 GetModuleHandleA 15698->15715 15699->15698 15700 4066b5 RegOpenKeyExA 15699->15700 15700->15698 15702 406760 lstrcpyn GetThreadLocale GetLocaleInfoA 15700->15702 15704 406797 15702->15704 15705 40687a 15702->15705 15704->15705 15709 4067a7 lstrlen 15704->15709 15705->15695 15706 40671c RegQueryValueExA 15707 40673a RegCloseKey 15706->15707 15707->15695 15710 4067bf 15709->15710 15710->15705 15711 4067e4 lstrcpyn LoadLibraryExA 15710->15711 15712 40680c 15710->15712 15711->15712 15712->15705 15713 406816 lstrcpyn LoadLibraryExA 15712->15713 15713->15705 15714 406848 lstrcpyn LoadLibraryExA 15713->15714 15714->15705 15716 4064bb GetProcAddress 15715->15716 15717 4064fe 15715->15717 15716->15717 15718 4064cf 15716->15718 15720 406626 RegQueryValueExA 15717->15720 15728 406531 15717->15728 15732 406470 15717->15732 15718->15717 15722 4064e5 lstrcpyn 15718->15722 15719 406544 lstrcpyn 15727 406562 15719->15727 15720->15706 15720->15707 15722->15720 15723 406612 lstrcpyn 15723->15720 15725 406470 CharNextA 15725->15727 15726 406470 CharNextA 15726->15728 15727->15720 15727->15723 15727->15725 15729 40657e lstrcpyn FindFirstFileA 15727->15729 15728->15719 15728->15720 15729->15720 15730 4065af FindClose lstrlen 15729->15730 15730->15720 15731 4065d1 lstrcpyn lstrlen 15730->15731 15731->15727 15733 40647e 15732->15733 15734 40648a 15733->15734 15735 406476 CharNextA 15733->15735 15734->15720 15734->15726 15735->15733 15737 404e00 15736->15737 15738 404e24 15736->15738 15745 402ef4 15737->15745 15738->15690 15740 404e0d 15740->15690 15742 404d59 15741->15742 15743 404d3e 15741->15743 15742->15675 15743->15742 15795 402f10 15743->15795 15746 402ef8 15745->15746 15746->15740 15747 402f02 15746->15747 15749 40301d 15746->15749 15752 407080 15746->15752 15747->15740 15760 402fec 15749->15760 15753 4070b5 TlsGetValue 15752->15753 15754 40708f 15752->15754 15755 40709a 15753->15755 15756 4070bf 15753->15756 15754->15749 15763 40703c 15755->15763 15756->15749 15758 40709f TlsGetValue 15759 4070ae 15758->15759 15759->15749 15770 404c6c 15760->15770 15764 407042 15763->15764 15768 407066 15764->15768 15769 407028 LocalAlloc 15764->15769 15766 407062 15767 407072 TlsSetValue 15766->15767 15766->15768 15767->15768 15768->15758 15769->15766 15773 404b90 15770->15773 15774 404ba4 15773->15774 15775 404bc1 15774->15775 15776 404bd2 15774->15776 15789 404b04 15775->15789 15785 404918 15776->15785 15779 404bcb 15779->15776 15780 404beb 15781 404c17 FreeLibrary 15780->15781 15783 404c1d 15780->15783 15781->15783 15782 404c55 15783->15782 15784 404c4a ExitProcess 15783->15784 15786 404957 15785->15786 15787 404927 15785->15787 15786->15780 15787->15786 15788 404951 KiUserCallbackDispatcher 15787->15788 15788->15787 15790 404b65 15789->15790 15791 404b0e GetStdHandle WriteFile GetStdHandle WriteFile 15789->15791 15792 404b81 15790->15792 15793 404b6e MessageBoxA 15790->15793 15791->15779 15792->15779 15793->15792 15796 402f1e 15795->15796 15798 402f14 15795->15798 15796->15742 15797 40301d 15800 402fec 8 API calls 15797->15800 15798->15796 15798->15797 15799 407080 4 API calls 15798->15799 15799->15797 15801 40303e 15800->15801 15801->15742 15803 40daac 15802->15803 15808 404d8c 15803->15808 15806 404d38 12 API calls 15807 40daf9 15806->15807 15807->15683 15809 404d90 15808->15809 15812 404da0 15808->15812 15811 404dfc 12 API calls 15809->15811 15809->15812 15810 404dce 15810->15806 15811->15812 15812->15810 15813 402f10 12 API calls 15812->15813 15813->15810 15814 4049e5 15815 4049ec 15814->15815 15818 40497c 15815->15818 15819 40498c 15818->15819 15820 4049bf 15818->15820 15819->15820 15821 4063f0 30 API calls 15819->15821 15823 4016ec 15819->15823 15821->15819 15827 401680 15823->15827 15825 4016f4 VirtualAlloc 15826 40170b 15825->15826 15826->15819 15828 401620 15827->15828 15828->15825 15829 407406 CreateMutexA 15830 406f48 15831 406f8a 15830->15831 15832 406f59 15830->15832 15832->15831 15833 406438 30 API calls 15832->15833 15834 406f79 LoadStringA 15833->15834 15835 404e28 12 API calls 15834->15835 15835->15831 15836 40a408 FindNextFileA 15837 40a425 GetLastError 15836->15837 15838 40a41c 15836->15838 15841 40a334 15838->15841 15840 40a423 15842 40a357 15841->15842 15843 40a33d FindNextFileA 15842->15843 15844 40a35f FileTimeToLocalFileTime FileTimeToDosDateTime 15842->15844 15843->15842 15846 40a34e GetLastError 15843->15846 15845 40a3ae 15844->15845 15845->15840 15846->15845 15847 405608 15848 405610 SysAllocStringLen 15847->15848 15850 405518 15847->15850 15849 405620 SysFreeString 15848->15849 15852 4054e8 15848->15852 15851 40551e SysFreeString 15850->15851 15853 40556b SysReAllocStringLen 15850->15853 15851->15850 15855 405504 15852->15855 15856 4054f4 SysAllocStringLen 15852->15856 15853->15852 15854 40557b 15853->15854 15856->15852 15856->15855 15857 404c6c 15858 404b90 8 API calls 15857->15858 15859 404c76 15858->15859 15860 40ebac 15861 40ebb4 15860->15861 15861->15861 15934 40eae8 GetThreadLocale 15861->15934 15866 40ebe2 GetThreadLocale 15961 40d29c GetLocaleInfoA 15866->15961 15870 404d8c 12 API calls 15871 40ec08 15870->15871 15872 40d29c 13 API calls 15871->15872 15873 40ec1d 15872->15873 15874 40d29c 13 API calls 15873->15874 15875 40ec41 15874->15875 15967 40d2e8 GetLocaleInfoA 15875->15967 15878 40d2e8 GetLocaleInfoA 15879 40ec71 15878->15879 15880 40d29c 13 API calls 15879->15880 15881 40ec8b 15880->15881 15882 40d2e8 GetLocaleInfoA 15881->15882 15883 40eca8 15882->15883 15884 40d29c 13 API calls 15883->15884 15885 40ecc2 15884->15885 15969 40d5d8 15885->15969 15888 404d8c 12 API calls 15889 40ecda 15888->15889 15890 40d29c 13 API calls 15889->15890 15891 40ecef 15890->15891 15892 40d5d8 15 API calls 15891->15892 15893 40ecfa 15892->15893 15894 404d8c 12 API calls 15893->15894 15895 40ed07 15894->15895 15896 40d2e8 GetLocaleInfoA 15895->15896 15897 40ed15 15896->15897 15898 40d29c 13 API calls 15897->15898 15899 40ed2f 15898->15899 15900 404d8c 12 API calls 15899->15900 15901 40ed3c 15900->15901 15902 40d29c 13 API calls 15901->15902 15903 40ed51 15902->15903 15904 404d8c 12 API calls 15903->15904 15905 40ed5e 15904->15905 15906 404d38 12 API calls 15905->15906 15907 40ed66 15906->15907 15908 404d38 12 API calls 15907->15908 15909 40ed6e 15908->15909 15910 40d29c 13 API calls 15909->15910 15911 40ed83 15910->15911 15912 40eda0 15911->15912 15913 40ed91 15911->15913 15915 404dd0 12 API calls 15912->15915 15988 404dd0 15913->15988 15916 40ed9e 15915->15916 15917 40d29c 13 API calls 15916->15917 15918 40edc2 15917->15918 15919 40ee00 15918->15919 15921 40d29c 13 API calls 15918->15921 15992 4050cc 15919->15992 15923 40ede5 15921->15923 15927 40ee02 15923->15927 15928 40edf3 15923->15928 15929 404dd0 12 API calls 15927->15929 15931 404dd0 12 API calls 15928->15931 15929->15919 15931->15919 15935 40eb13 15934->15935 15936 40eb5b GetSystemMetrics 15935->15936 15937 40eb55 15935->15937 15938 40eb6a GetSystemMetrics 15936->15938 15937->15938 15939 40eb83 15938->15939 15940 40eb7d 15938->15940 15942 40d350 GetThreadLocale 15939->15942 16001 40ea8c GetCPInfo 15940->16001 15945 40d383 15942->15945 15943 404d8c 12 API calls 15943->15945 15944 40d314 44 API calls 15944->15945 15945->15943 15945->15944 15948 40d3d5 15945->15948 15946 40d314 44 API calls 15946->15948 15947 404d8c 12 API calls 15947->15948 15948->15946 15948->15947 15949 40d448 15948->15949 16003 404d5c 15949->16003 15952 40d528 GetThreadLocale 15953 40d29c 13 API calls 15952->15953 15954 40d554 15953->15954 15955 40d5a9 15954->15955 15956 40d56d GetThreadLocale EnumCalendarInfoA 15954->15956 15959 404d38 12 API calls 15955->15959 15957 40d58a 15956->15957 15957->15957 15958 40d596 GetThreadLocale EnumCalendarInfoA 15957->15958 15958->15955 15960 40d5be 15959->15960 15960->15866 15962 40d2c3 15961->15962 15963 40d2d5 15961->15963 15965 404e28 12 API calls 15962->15965 15964 404d8c 12 API calls 15963->15964 15966 40d2d3 15964->15966 15965->15966 15966->15870 15968 40d304 15967->15968 15968->15878 15970 40d603 GetThreadLocale 15969->15970 15971 404d38 12 API calls 15969->15971 15972 40d29c 13 API calls 15970->15972 15971->15970 15973 40d61b 15972->15973 15974 40d634 15973->15974 15986 40d695 15973->15986 15975 40d687 15974->15975 15982 40d650 15974->15982 15977 404d8c 12 API calls 15975->15977 15976 40d682 15979 404d5c 12 API calls 15976->15979 15977->15976 15980 40d7a7 15979->15980 15980->15888 15982->15976 16007 404f20 15982->16007 16010 405004 15982->16010 15984 405004 12 API calls 15984->15986 15986->15976 15986->15984 15987 404f20 12 API calls 15986->15987 16024 40e6fc 15986->16024 16028 405230 15986->16028 15987->15986 15990 404dd4 15988->15990 15989 404df8 15989->15916 15990->15989 15991 402f10 12 API calls 15990->15991 15991->15989 15993 4050dd 15992->15993 15994 405105 15993->15994 15995 40511c 15993->15995 15999 40514d 15993->15999 15996 405458 12 API calls 15994->15996 15997 404dfc 12 API calls 15995->15997 15998 405112 15996->15998 15997->15998 15998->15999 16000 404d8c 12 API calls 15998->16000 16000->15999 16002 40eaa5 16001->16002 16002->15939 16004 404d62 16003->16004 16005 404d88 16004->16005 16006 402f10 12 API calls 16004->16006 16005->15866 16005->15952 16006->16004 16008 404e28 12 API calls 16007->16008 16009 404f2d 16008->16009 16009->15982 16011 405008 16010->16011 16012 405049 16010->16012 16013 405012 16011->16013 16014 404d8c 16011->16014 16012->15982 16013->16012 16015 405027 16013->16015 16016 40503e 16013->16016 16019 404dfc 12 API calls 16014->16019 16021 404da0 16014->16021 16035 405458 16015->16035 16020 405458 12 API calls 16016->16020 16017 404dce 16017->15982 16019->16021 16023 40502c 16020->16023 16021->16017 16022 402f10 12 API calls 16021->16022 16022->16017 16023->15982 16025 40e730 16024->16025 16026 40e710 16024->16026 16025->15986 16026->16025 16051 40e6d4 16026->16051 16029 405262 16028->16029 16030 405235 16028->16030 16031 404d38 12 API calls 16029->16031 16030->16029 16033 405249 16030->16033 16032 405258 16031->16032 16032->15986 16034 404e28 12 API calls 16033->16034 16034->16032 16036 405465 16035->16036 16043 405495 16035->16043 16038 40548e 16036->16038 16040 405471 16036->16040 16037 404d38 12 API calls 16039 40547f 16037->16039 16041 404dfc 12 API calls 16038->16041 16039->16023 16044 402f28 16040->16044 16041->16043 16043->16037 16045 402f2e 16044->16045 16045->16039 16046 402f40 16045->16046 16047 40301d 16045->16047 16048 407080 4 API calls 16045->16048 16046->16039 16049 402fec 8 API calls 16047->16049 16048->16047 16050 40303e 16049->16050 16050->16039 16052 40e6e0 CharNextA 16051->16052 16053 40e6ea 16051->16053 16052->16025 16053->16025 16054 40a1ce 16064 4051c8 16054->16064 16057 40a1e6 16058 40a1ee GetLastError 16059 40a1fa 16058->16059 16060 40a20f 16058->16060 16059->16060 16061 40a204 16059->16061 16066 40a190 16061->16066 16065 4051cc GetFileAttributesA 16064->16065 16065->16057 16065->16058 16067 4051c8 16066->16067 16068 40a1aa FindFirstFileA 16067->16068 16069 40a1b5 FindClose 16068->16069 16070 40a1c7 16068->16070 16069->16070 16070->16060 16071 40f8ef 16072 40f8e0 SetErrorMode 16071->16072 16073 41c934 16074 41c94a 16073->16074 16075 41c97f 16074->16075 16095 41c7a8 16074->16095 16083 41c88c 16075->16083 16080 41c9c2 16081 41c9aa 16081->16080 16109 41c830 16081->16109 16084 41c90a 16083->16084 16086 41c8b6 16083->16086 16085 404d38 12 API calls 16084->16085 16087 41c921 16085->16087 16086->16084 16088 41c88c 52 API calls 16086->16088 16087->16081 16104 41c800 16087->16104 16089 41c8ce 16088->16089 16122 4063e8 16089->16122 16092 406438 30 API calls 16093 41c8fc 16092->16093 16125 41c724 16093->16125 16096 407080 4 API calls 16095->16096 16099 41c7ae 16096->16099 16097 41c7cb 16098 407080 4 API calls 16097->16098 16101 41c7d6 16098->16101 16099->16097 16100 407080 4 API calls 16099->16100 16100->16097 16102 407080 4 API calls 16101->16102 16103 41c7f6 16102->16103 16103->16075 16105 407080 4 API calls 16104->16105 16108 41c808 16105->16108 16106 41c82b 16106->16081 16107 41cd04 43 API calls 16107->16108 16108->16106 16108->16107 16110 407080 4 API calls 16109->16110 16111 41c837 16110->16111 16112 407080 4 API calls 16111->16112 16113 41c847 16112->16113 16289 41cdec 16113->16289 16116 407080 4 API calls 16117 41c85b 16116->16117 16292 41cbf8 16117->16292 16119 41c86c 16120 407080 4 API calls 16119->16120 16121 41c877 16119->16121 16120->16121 16121->16080 16134 4063c0 VirtualQuery 16122->16134 16126 41c735 16125->16126 16127 41c744 FindResourceA 16126->16127 16128 41c7a1 16127->16128 16129 41c754 16127->16129 16128->16084 16136 4205e0 16129->16136 16131 41c765 16140 41fec4 16131->16140 16133 41c780 16133->16084 16135 4063da 16134->16135 16135->16092 16137 4205ea 16136->16137 16145 4206d8 FindResourceA 16137->16145 16139 42061a 16139->16131 16171 42078c 16140->16171 16142 41fee0 16175 4229d4 16142->16175 16144 41fefb 16144->16133 16146 420704 LoadResource 16145->16146 16147 4206fd 16145->16147 16149 420717 16146->16149 16150 42071e SizeofResource LockResource 16146->16150 16155 420638 16147->16155 16152 420638 43 API calls 16149->16152 16153 42073c 16150->16153 16154 42071d 16152->16154 16153->16139 16154->16150 16156 42065d 16155->16156 16158 42066b 16155->16158 16167 409a5c 16156->16167 16159 406f48 43 API calls 16158->16159 16160 420698 16159->16160 16161 40daa0 12 API calls 16160->16161 16162 4206a7 16161->16162 16163 404d38 12 API calls 16162->16163 16164 4206c1 16163->16164 16165 404d38 12 API calls 16164->16165 16166 4206c9 16165->16166 16166->16146 16168 409a6c 16167->16168 16169 404e28 12 API calls 16168->16169 16170 409a74 16169->16170 16170->16158 16172 420796 16171->16172 16173 402ef4 12 API calls 16172->16173 16174 4207af 16173->16174 16174->16142 16200 422dc4 16175->16200 16178 422a81 16180 422de8 43 API calls 16178->16180 16179 422a4c 16216 422de8 16179->16216 16182 422a92 16180->16182 16184 422a9b 16182->16184 16185 422aa8 16182->16185 16187 422de8 43 API calls 16184->16187 16188 422de8 43 API calls 16185->16188 16193 422a74 16187->16193 16190 422ac3 16188->16190 16228 422974 16190->16228 16192 422de8 43 API calls 16192->16193 16205 41bf74 16193->16205 16196 407080 4 API calls 16197 422b1f 16196->16197 16198 422bef 16197->16198 16199 41cd04 43 API calls 16197->16199 16198->16144 16199->16197 16233 42145c 16200->16233 16203 422a0d 16203->16178 16203->16179 16206 41bf81 16205->16206 16248 41be60 RtlEnterCriticalSection 16206->16248 16208 41bfb8 16209 41cd04 43 API calls 16208->16209 16215 41c01a 16208->16215 16250 41b968 16208->16250 16209->16208 16210 41c05b 16249 41bf18 RtlLeaveCriticalSection 16210->16249 16212 41cd04 43 API calls 16212->16215 16214 41c072 16214->16196 16215->16210 16215->16212 16217 42145c 43 API calls 16216->16217 16218 422dfd 16217->16218 16219 404e28 12 API calls 16218->16219 16220 422e0a 16219->16220 16221 42145c 43 API calls 16220->16221 16222 422a57 16221->16222 16223 41c224 16222->16223 16254 41c1d0 16223->16254 16226 41c23c 16226->16192 16229 404d8c 12 API calls 16228->16229 16230 42298c 16229->16230 16232 4229bb 16230->16232 16280 41c700 16230->16280 16232->16193 16236 421467 16233->16236 16234 4214a1 16234->16203 16237 420e54 16234->16237 16236->16234 16240 4214a8 16236->16240 16238 40db20 43 API calls 16237->16238 16239 420e65 16238->16239 16239->16203 16241 4214ba 16240->16241 16242 4214d5 16241->16242 16244 40db20 16241->16244 16242->16236 16245 40db27 16244->16245 16246 406f48 43 API calls 16245->16246 16247 40db3f 16246->16247 16247->16242 16248->16208 16249->16214 16251 41b99e 16250->16251 16253 41b980 16250->16253 16251->16208 16252 41cd04 43 API calls 16252->16253 16253->16251 16253->16252 16268 41be60 RtlEnterCriticalSection 16254->16268 16256 41c1e1 16269 41bcc0 16256->16269 16260 41c215 16260->16226 16261 41c164 16260->16261 16262 406f48 43 API calls 16261->16262 16263 41c19a 16262->16263 16264 40daa0 12 API calls 16263->16264 16265 41c1a9 16264->16265 16266 404d38 12 API calls 16265->16266 16267 41c1c3 16266->16267 16267->16226 16268->16256 16270 41bcfc 16269->16270 16272 41bcd7 16269->16272 16274 41bf18 RtlLeaveCriticalSection 16270->16274 16271 41cd04 43 API calls 16271->16272 16272->16270 16272->16271 16275 41b900 16272->16275 16274->16260 16276 41b93a 16275->16276 16277 41b911 16275->16277 16276->16272 16277->16276 16278 41cd04 43 API calls 16277->16278 16279 403d0c 13 API calls 16277->16279 16278->16277 16279->16277 16281 41c716 16280->16281 16282 41c70c 16280->16282 16285 41c6c0 16281->16285 16282->16230 16286 41c6fb 16285->16286 16288 41c6d0 16285->16288 16286->16230 16287 41cd04 43 API calls 16287->16288 16288->16286 16288->16287 16290 41cd04 43 API calls 16289->16290 16291 41c854 16290->16291 16291->16116 16293 41cc03 16292->16293 16294 41cc17 16293->16294 16295 41cc90 43 API calls 16293->16295 16294->16119 16295->16294 16296 40f877 SetErrorMode 16297 4051c8 16296->16297 16298 40f8b0 LoadLibraryA 16297->16298 16299 40f8c6 16298->16299 16300 402df8 16301 402e1d 16300->16301 16302 402e0b VirtualFree 16301->16302 16303 402e21 16301->16303 16302->16301 16303->16303 16304 402e68 VirtualFree 16303->16304 16305 402e7e 16303->16305 16304->16303 16306 40a3b8 16307 4051c8 16306->16307 16308 40a3d2 FindFirstFileA 16307->16308 16309 40a3e2 16308->16309 16310 40a3f8 GetLastError 16308->16310 16311 40a334 4 API calls 16309->16311 16312 40a3ff 16310->16312 16313 40a3e9 16311->16313 16313->16312 16316 40a42c 16313->16316 16317 40a3f6 16316->16317 16318 40a437 FindClose 16316->16318 16317->16312 16318->16317 16319 4080fa 16323 403478 16319->16323 16321 40810f CreateWindowExA 16322 408149 16321->16322 16323->16321 16324 404cba 16325 404ce2 16324->16325 16327 404cd6 CreateThread 16324->16327 16326 402ef4 12 API calls 16325->16326 16326->16327 16329 404c84 16327->16329 16330 404c8c 16329->16330 16331 402f10 12 API calls 16330->16331 16332 404caa 16331->16332 16335 404d1c 16332->16335 16333 404cae 16336 404d30 RtlExitUserThread 16335->16336 16337 404d28 16335->16337 16336->16333 16337->16336 16338 40e31e 16339 404dd0 12 API calls 16338->16339 16340 40e34d 16339->16340 16341 40e3e0 16340->16341 16342 40e36d 16340->16342 16344 404d38 12 API calls 16341->16344 16343 402ef4 12 API calls 16342->16343 16346 40e374 16343->16346 16345 40e3f5 16344->16345 16347 402f10 12 API calls 16346->16347 16348 40e3d8 16347->16348

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00406654 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000), ref: 00406670
                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040668E
                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004066AC
                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 004066CA
                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406759,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406713
                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,004068C0,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406759,?,80000001), ref: 00406731
                                                                                                                                                          • RegCloseKey.ADVAPI32(?,00406760,00000000,?,?,00000000,00406759,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406753
                                                                                                                                                          • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406770
                                                                                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0040677D
                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406783
                                                                                                                                                          • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 004067AE
                                                                                                                                                          • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004067F5
                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406805
                                                                                                                                                          • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040682D
                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040683D
                                                                                                                                                          • lstrcpyn.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406863
                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406873
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                          • API String ID: 1759228003-2375825460
                                                                                                                                                          • Opcode ID: 3c5a9faecf0089d84e31240fc12571415decdeaec235185334a13c4c630849ea
                                                                                                                                                          • Instruction ID: 5e157ed5537b4a237584c827f581b5c79b87ad4d306dd5e91e6fd8f6d5e6d84f
                                                                                                                                                          • Opcode Fuzzy Hash: 3c5a9faecf0089d84e31240fc12571415decdeaec235185334a13c4c630849ea
                                                                                                                                                          • Instruction Fuzzy Hash: 5F51A372A0021C7AFB25D6A58C46FEF77AC8B04748F4140B7BA01F61C1E678DA448BA8
                                                                                                                                                          Function 0040A3B8 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 232 40a3b8-40a3e0 call 4051c8 FindFirstFileA 235 40a3e2 232->235 236 40a3f8-40a3fd GetLastError 232->236 237 40a3e4 call 40a334 235->237 238 40a3ff-40a404 236->238 239 40a3e9-40a3ed 237->239 239->238 240 40a3ef-40a3f1 call 40a42c 239->240 242 40a3f6 240->242 242->238
                                                                                                                                                          APIs
                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0040A3D3
                                                                                                                                                          • GetLastError.KERNEL32(00000000,?), ref: 0040A3F8
                                                                                                                                                            • Part of subcall function 0040A334: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A364
                                                                                                                                                            • Part of subcall function 0040A334: FileTimeToDosDateTime.KERNEL32(?,?), ref: 0040A373
                                                                                                                                                            • Part of subcall function 0040A42C: FindClose.KERNEL32(?,?,0040A3F6,00000000,?), ref: 0040A438
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 976985129-0
                                                                                                                                                          • Opcode ID: 88c0eba407a221059a17cb6394ef407e21858510004f2839074d1fdf81b68649
                                                                                                                                                          • Instruction ID: 7318d6a742725103a9cba4891fa0b0bafbc07ed17d6ac625fda81cc6e886857b
                                                                                                                                                          • Opcode Fuzzy Hash: 88c0eba407a221059a17cb6394ef407e21858510004f2839074d1fdf81b68649
                                                                                                                                                          • Instruction Fuzzy Hash: C7E0A972A0122007C714AA6E088149F65888A843A931902BBFC14FB2C2E53CCC2607DA
                                                                                                                                                          Function 00407298 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 259 407298-407299 260 4072db-4072fb 259->260 261 40729b-4072a2 259->261 262 407369 260->262 263 4072fd 260->263 261->260 264 40736b 262->264 265 4073cc-4073cd 262->265 266 407309-407330 263->266 267 4072ff-407303 263->267 269 4073c0-4073cb RegQueryValueExA 264->269 270 40736d-40736f 264->270 268 4073ce-4073d5 265->268 272 407333 266->272 273 407398-40739d RegCreateKeyExA 266->273 276 407351-407359 267->276 277 407305 267->277 274 4073d6-407424 CopyFileA CreateMutexA 268->274 269->265 270->274 282 407371-407378 AllocateAndInitializeSid 270->282 279 407335-40733c 272->279 280 4073ab-4073ac 272->280 278 40739f-4073a3 273->278 276->268 281 40735b-40735d 276->281 277->266 283 4073a4-4073a5 278->283 279->283 288 40733f 279->288 285 4073ad-4073b5 280->285 281->278 286 40735f-407366 281->286 287 407395 282->287 283->280 289 4073b7-4073bd 285->289 286->262 286->285 287->273 288->289 290 407341-40734e 288->290 289->269 290->287 291 407350 290->291 291->276
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 0367e5f77bd93087222fc53954bc11bf2d82155372a92d8f23bf38d1ebb15c6c
                                                                                                                                                          • Instruction ID: 8aeb1cb433f889c171490a0e4d23618bc073b500d8069fbb6a976648bc53ce31
                                                                                                                                                          • Opcode Fuzzy Hash: 0367e5f77bd93087222fc53954bc11bf2d82155372a92d8f23bf38d1ebb15c6c
                                                                                                                                                          • Instruction Fuzzy Hash: 3A41FC3285D7C45FE72A8A20AE6A2A17F50F713310F0805AFCC856A997D33B7515E74E
                                                                                                                                                          Function 0041C724 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 316 41c724-41c733 317 41c735 316->317 318 41c73b-41c752 call 4051c8 FindResourceA 316->318 317->318 321 41c7a1-41c7a6 318->321 322 41c754-41c77b call 4205e0 call 41fec4 318->322 326 41c780-41c797 call 403e18 322->326
                                                                                                                                                          APIs
                                                                                                                                                          • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0041C746
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FindResource
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1635176832-0
                                                                                                                                                          • Opcode ID: 927b739f5dd82f3a62546379a84184c750f96bd51a941ff20b51cb646dc3ae75
                                                                                                                                                          • Instruction ID: 996fa8d1b5cc83aab3616b7d890c4885aeaf4f2c35666b1494ada21590d8a41e
                                                                                                                                                          • Opcode Fuzzy Hash: 927b739f5dd82f3a62546379a84184c750f96bd51a941ff20b51cb646dc3ae75
                                                                                                                                                          • Instruction Fuzzy Hash: E201D471344701AFE700DF5AECC296AB7EDDB89724B21403AF50497291DA799C019A54
                                                                                                                                                          Function 0040EBAC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,0040EE77,?,?,00000000,00000000), ref: 0040EBE2
                                                                                                                                                            • Part of subcall function 0040D29C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D2BA
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                                          • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                          • API String ID: 4232894706-2493093252
                                                                                                                                                          • Opcode ID: e596efd3e15893db175018f12e90038649555bba701bce8a071dfc970edbbe08
                                                                                                                                                          • Instruction ID: 384570b5c086108fd862587f4ee1b0a76cd021afc31e3a6baf9d09aa45334233
                                                                                                                                                          • Opcode Fuzzy Hash: e596efd3e15893db175018f12e90038649555bba701bce8a071dfc970edbbe08
                                                                                                                                                          • Instruction Fuzzy Hash: 8E613230B001089BD704E7E6D841A9EB7A6AB88304F50987FB501BB7D6DA3CDD19976D
                                                                                                                                                          Function 0040A1CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 117 40a1ce-40a1e4 call 4051c8 GetFileAttributesA 120 40a1e6-40a1ed 117->120 121 40a1ee-40a1f8 GetLastError 117->121 122 40a1fa-40a1fd 121->122 123 40a20f-40a211 121->123 122->123 124 40a1ff-40a202 122->124 125 40a215-40a217 123->125 124->123 126 40a204-40a20d call 40a190 124->126 126->123 129 40a213 126->129 129->125
                                                                                                                                                          APIs
                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 0040A1DC
                                                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 0040A1EE
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AttributesErrorFileLast
                                                                                                                                                          • String ID: {
                                                                                                                                                          • API String ID: 1799206407-366298937
                                                                                                                                                          • Opcode ID: 6ae13cbaaa682d1f18c01fb240318da2dd190ae950ee82183eaadb9af243c041
                                                                                                                                                          • Instruction ID: 1dc9cbbd464976f05ea86cb53fb5db1caf0f7eec3f55fcb7d0db837bc37438c1
                                                                                                                                                          • Opcode Fuzzy Hash: 6ae13cbaaa682d1f18c01fb240318da2dd190ae950ee82183eaadb9af243c041
                                                                                                                                                          • Instruction Fuzzy Hash: DDE048616953202DCD3571FC19C95AB024449562A972405BBF911F73D2FA3F5C62119F
                                                                                                                                                          Function 0040EAE8 Relevance: 4.6, APIs: 3, Instructions: 56threadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 130 40eae8-40eb11 GetThreadLocale 131 40eb13 130->131 132 40eb15-40eb18 130->132 131->132 133 40eb30-40eb4a 132->133 134 40eb1a-40eb2d 132->134 135 40eb5b-40eb67 GetSystemMetrics 133->135 136 40eb4c-40eb53 133->136 134->133 138 40eb6a-40eb7b GetSystemMetrics 135->138 136->135 137 40eb55-40eb59 136->137 137->138 139 40eb84-40eb8a 138->139 140 40eb7d-40eb83 call 40ea8c 138->140 140->139
                                                                                                                                                          APIs
                                                                                                                                                          • GetThreadLocale.KERNEL32 ref: 0040EB0A
                                                                                                                                                          • GetSystemMetrics.USER32(0000004A), ref: 0040EB5D
                                                                                                                                                          • GetSystemMetrics.USER32(0000002A), ref: 0040EB6C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: MetricsSystem$LocaleThread
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2159509485-0
                                                                                                                                                          • Opcode ID: a6bb45a4ab979f4702b9d378431415994253ac56f2ce1c2b0e03d07efa9f64d6
                                                                                                                                                          • Instruction ID: 39d7488d5252617bc629c71f1b51ede6515f0395e25e7805149dbde686e4dc39
                                                                                                                                                          • Opcode Fuzzy Hash: a6bb45a4ab979f4702b9d378431415994253ac56f2ce1c2b0e03d07efa9f64d6
                                                                                                                                                          • Instruction Fuzzy Hash: 2701E521A047518ED3209A679801B63B6E8EF51325F44C83FD88AA73C1DB3DA857C76A
                                                                                                                                                          Function 00405608 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 143 405608-40560a 144 405610-40561a SysAllocStringLen 143->144 145 405518-40551c 143->145 146 405620-40562a SysFreeString 144->146 147 4054e8-4054f2 144->147 148 40552c-40555a 145->148 149 40551e-40552b SysFreeString 145->149 156 405504 147->156 157 4054f4-4054fe SysAllocStringLen 147->157 148->145 152 405560-405565 148->152 149->148 152->145 153 40556b-405575 SysReAllocStringLen 152->153 153->147 155 40557b 153->155 157->147 157->156
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00405526
                                                                                                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00405613
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00405625
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$Free$Alloc
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 986138563-0
                                                                                                                                                          • Opcode ID: 215ac1b110bc87d70b44df13d0749045dc8f860a145eb18e22fc63fcdf352066
                                                                                                                                                          • Instruction ID: 6436cffdaf6eaabc757a165559f5519ef1923151ceaac96e34cdbf2466f1e31f
                                                                                                                                                          • Opcode Fuzzy Hash: 215ac1b110bc87d70b44df13d0749045dc8f860a145eb18e22fc63fcdf352066
                                                                                                                                                          • Instruction Fuzzy Hash: 24E0ECB81016016EFF282F229C01B3B2629EF82745B64847EBC00AA6A5D63DCC419A3C
                                                                                                                                                          Function 00404B90 Relevance: 3.1, APIs: 2, Instructions: 68COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 158 404b90-404ba2 159 404ba4-404ba7 158->159 160 404bb8-404bbf 158->160 159->160 161 404ba9-404bb6 159->161 162 404bc1-404bcd call 404a70 call 404b04 160->162 163 404bd2-404bd6 160->163 161->160 162->163 165 404be6-404bef call 404918 163->165 166 404bd8-404bdf 163->166 173 404bf1-404bf8 165->173 174 404bfa-404bff 165->174 166->165 167 404be1-404be3 166->167 167->165 173->174 176 404c1d-404c26 call 4048f0 173->176 174->176 177 404c01-404c11 call 4069f8 174->177 183 404c28 176->183 184 404c2b-404c2f 176->184 177->176 182 404c13-404c15 177->182 182->176 187 404c17-404c18 FreeLibrary 182->187 183->184 185 404c31 call 404ad4 184->185 186 404c36-404c39 184->186 185->186 189 404c55 186->189 190 404c3b-404c42 186->190 187->176 191 404c44 190->191 192 404c4a-404c50 ExitProcess 190->192 191->192
                                                                                                                                                          APIs
                                                                                                                                                          • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,00404C76,00402FF7,0040303E,?,?,?,?,?,00404830), ref: 00404C18
                                                                                                                                                          • ExitProcess.KERNEL32(00000000,?,?,?,00000002,00404C76,00402FF7,0040303E,?,?,?,?,?,00404830), ref: 00404C50
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ExitFreeLibraryProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1404682716-0
                                                                                                                                                          • Opcode ID: 2b62e167ec5a3587e8e52e626665c9172f304a60a18490ad85245f9a71b3d777
                                                                                                                                                          • Instruction ID: 5e6e97d3ab7cbddfd41ef5e01e5ac4c95a723bd66ac893559894d6063fb7434d
                                                                                                                                                          • Opcode Fuzzy Hash: 2b62e167ec5a3587e8e52e626665c9172f304a60a18490ad85245f9a71b3d777
                                                                                                                                                          • Instruction Fuzzy Hash: 7E218EF08052008EEB21AF259488B6637B0AB89314F1605BADB04BB3D2D37CEC84CB59
                                                                                                                                                          Function 00404B88 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 193 404b88-404ba2 194 404ba4-404ba7 193->194 195 404bb8-404bbf 193->195 194->195 196 404ba9-404bb6 194->196 197 404bc1-404bcd call 404a70 call 404b04 195->197 198 404bd2-404bd6 195->198 196->195 197->198 200 404be6-404bef call 404918 198->200 201 404bd8-404bdf 198->201 208 404bf1-404bf8 200->208 209 404bfa-404bff 200->209 201->200 202 404be1-404be3 201->202 202->200 208->209 211 404c1d-404c26 call 4048f0 208->211 209->211 212 404c01-404c11 call 4069f8 209->212 218 404c28 211->218 219 404c2b-404c2f 211->219 212->211 217 404c13-404c15 212->217 217->211 222 404c17-404c18 FreeLibrary 217->222 218->219 220 404c31 call 404ad4 219->220 221 404c36-404c39 219->221 220->221 224 404c55 221->224 225 404c3b-404c42 221->225 222->211 226 404c44 225->226 227 404c4a-404c50 ExitProcess 225->227 226->227
                                                                                                                                                          APIs
                                                                                                                                                          • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,00404C76,00402FF7,0040303E,?,?,?,?,?,00404830), ref: 00404C18
                                                                                                                                                          • ExitProcess.KERNEL32(00000000,?,?,?,00000002,00404C76,00402FF7,0040303E,?,?,?,?,?,00404830), ref: 00404C50
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ExitFreeLibraryProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1404682716-0
                                                                                                                                                          • Opcode ID: bc0ce6cf8aecb4b5ec4066b874125aa6c3ace984f7ed2f1c40b962c4e0894cbf
                                                                                                                                                          • Instruction ID: 26485d123a9804ea87bf8d3ec333696501eefa64287bd84f1e6b6948f2711c0c
                                                                                                                                                          • Opcode Fuzzy Hash: bc0ce6cf8aecb4b5ec4066b874125aa6c3ace984f7ed2f1c40b962c4e0894cbf
                                                                                                                                                          • Instruction Fuzzy Hash: 662171F09052408EEB21AF259488B563BB0AB95314F1605BBD704BB2D2D37CECC4CB59
                                                                                                                                                          Function 0040F877 Relevance: 3.0, APIs: 2, Instructions: 34libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 228 40f877-40f8c1 SetErrorMode call 4051c8 LoadLibraryA 231 40f8c6-40f8cb 228->231
                                                                                                                                                          APIs
                                                                                                                                                          • SetErrorMode.KERNEL32 ref: 0040F882
                                                                                                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0040F8CC,?,00000000,0040F8EA), ref: 0040F8B1
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLibraryLoadMode
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2987862817-0
                                                                                                                                                          • Opcode ID: 67e5d8801f94ffe0cc36f5256bbee1cf109f337dcf98cd5353e24bb5310f93ed
                                                                                                                                                          • Instruction ID: 30d02633c5d47571a6d8ddcbadbbbf09f36c91a1831e0395f73516d042239ee0
                                                                                                                                                          • Opcode Fuzzy Hash: 67e5d8801f94ffe0cc36f5256bbee1cf109f337dcf98cd5353e24bb5310f93ed
                                                                                                                                                          • Instruction Fuzzy Hash: 88F0E271A14704BFCB116F768C6286BBFACEB0EB1435288B6F800B2AD1E63D5810C664
                                                                                                                                                          Function 0040A408 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 243 40a408-40a41a FindNextFileA 244 40a425-40a42b GetLastError 243->244 245 40a41c-40a424 call 40a334 243->245
                                                                                                                                                          APIs
                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 0040A413
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 0040A425
                                                                                                                                                            • Part of subcall function 0040A334: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A364
                                                                                                                                                            • Part of subcall function 0040A334: FileTimeToDosDateTime.KERNEL32(?,?), ref: 0040A373
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileTime$DateErrorFindLastLocalNext
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2103556486-0
                                                                                                                                                          • Opcode ID: bf48ae8132c5bbad6d0b18798e47058994b7da0b2b185a2c3f278ea7eeecab57
                                                                                                                                                          • Instruction ID: 26c6c634826ea2bb1f8ee83a6a69aef5031f3afcc71ae0614744ca739c1c9f22
                                                                                                                                                          • Opcode Fuzzy Hash: bf48ae8132c5bbad6d0b18798e47058994b7da0b2b185a2c3f278ea7eeecab57
                                                                                                                                                          • Instruction Fuzzy Hash: EEC012A26052011BCB40EFB69CC1897229C1A4820931414BBBA04DA183EA3CD420431A
                                                                                                                                                          Function 00402DF8 Relevance: 2.6, APIs: 2, Instructions: 55COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 248 402df8-402e09 249 402e1d-402e1f 248->249 250 402e21-402e26 249->250 251 402e0b-402e1b VirtualFree 249->251 252 402e2b-402e45 250->252 251->249 252->252 253 402e47-402e51 252->253 254 402e56-402e61 253->254 254->254 255 402e63-402e66 254->255 256 402e7a-402e7c 255->256 257 402e68-402e78 VirtualFree 256->257 258 402e7e-402e87 256->258 257->256
                                                                                                                                                          APIs
                                                                                                                                                          • VirtualFree.KERNEL32(005CD708,00000000,00008000), ref: 00402E16
                                                                                                                                                          • VirtualFree.KERNEL32(005CF7AC,00000000,00008000), ref: 00402E73
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                                          • Opcode ID: d05955e45a718781c5b4b787c19c8f8baae78645cd53195c4c0428c11ecf71af
                                                                                                                                                          • Instruction ID: bad5c8c07d8db85567d6067ffa8b301af0531aa095e7853dde6ef1fd60a671eb
                                                                                                                                                          • Opcode Fuzzy Hash: d05955e45a718781c5b4b787c19c8f8baae78645cd53195c4c0428c11ecf71af
                                                                                                                                                          • Instruction Fuzzy Hash: 9E115E712506009FD7245F45D984B2ABAE5F784714F55C07EE209AF3C1D6B8EC028B98
                                                                                                                                                          Function 00403CA8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 292 403ca8-403cb3 293 403d21-403d25 292->293 294 403cb5-403cbc 292->294 295 403d26-403d34 293->295 294->295 296 403cbe-403cc9 294->296 299 403d35 295->299 297 403d36-403d65 call 403cf8 call 404f9c call 404ff8 call 4051c8 call 404ff8 call 4051c8 296->297 298 403ccb-403cce 296->298 312 403d6a-403d85 CompareStringA 297->312 298->299 301 403cd0-403cd2 298->301 301->293 313 403d8a-403d92 call 404d38 312->313
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000), ref: 00403D72
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1825529933-0
                                                                                                                                                          • Opcode ID: f833a957531f3198c24e00bad8447986c7ee58f6d77920d5a0193ca85148cd9a
                                                                                                                                                          • Instruction ID: b0bffb1f98e96099bff94250f95a98b93a505e35f1539525066c2b05e79d391f
                                                                                                                                                          • Opcode Fuzzy Hash: f833a957531f3198c24e00bad8447986c7ee58f6d77920d5a0193ca85148cd9a
                                                                                                                                                          • Instruction Fuzzy Hash: 981101711082456EC711EAA48D83AAE7F6CDF53316B1005ABF144F50D3C77C4E028699
                                                                                                                                                          Function 00403D0C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000), ref: 00403D72
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1825529933-0
                                                                                                                                                          • Opcode ID: 66db23c4af2a0212c26ae08eb7662cbe355c2cfd915a4f247a02a9d7d9deb789
                                                                                                                                                          • Instruction ID: bf3e2969fa572b5fe117b4410219aa4d86d51cb0f0ad4154b7570edc3f996cd0
                                                                                                                                                          • Opcode Fuzzy Hash: 66db23c4af2a0212c26ae08eb7662cbe355c2cfd915a4f247a02a9d7d9deb789
                                                                                                                                                          • Instruction Fuzzy Hash: 5301A271644609AFDB10FB69DC83A9E77ACDF44708F1104BAF509F22D1DB785F005958
                                                                                                                                                          Function 004080FA Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040813B
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateWindow
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 716092398-0
                                                                                                                                                          • Opcode ID: f42c82351ad1b37ab34b25bc097aeb501a8c09cfcdc322f85b8bed3a1f932ba1
                                                                                                                                                          • Instruction ID: ad932a6a948a3c5feed10dba432ea932d9e79b86078704e8990aba0154553035
                                                                                                                                                          • Opcode Fuzzy Hash: f42c82351ad1b37ab34b25bc097aeb501a8c09cfcdc322f85b8bed3a1f932ba1
                                                                                                                                                          • Instruction Fuzzy Hash: 36F07FB2704118BF9B80DE9DDC81E9B77ECEB4D2A4B05412ABA08E7201D634ED108BB4
                                                                                                                                                          Function 00404CBA Relevance: 1.5, APIs: 1, Instructions: 39threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateThread.KERNEL32(?,?,Function_00004C84,00000000,?,?), ref: 00404D0C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateThread
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2422867632-0
                                                                                                                                                          • Opcode ID: e61563ba41f31488982ff2a5faf7dc01e67ea7ddb2fd76e41a90a46a2a3ee832
                                                                                                                                                          • Instruction ID: 66961fe841b21d30eee555e34491a277d3e0da27be9a75b63725a3affb8da9d0
                                                                                                                                                          • Opcode Fuzzy Hash: e61563ba41f31488982ff2a5faf7dc01e67ea7ddb2fd76e41a90a46a2a3ee832
                                                                                                                                                          • Instruction Fuzzy Hash: 79F049B1205104AFE304CB4DD848E6ABBBCEB98354F11807AF608EB291D6789D05A764
                                                                                                                                                          Function 00404918 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(00000000,00404961,?,005CD048,?,005CF7C8,?,00404BEB,?,?,?,00000002,00404C76,00402FF7,0040303E), ref: 00404951
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallbackDispatcherUser
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2492992576-0
                                                                                                                                                          • Opcode ID: 87f68ce69ecaf1e34d7447c4149b8d03373e4f610e5e5b1b44b0c7fc1e589072
                                                                                                                                                          • Instruction ID: e8ab4dec7c8d8cc7a12ca14cef34526f1edb23d4395377e4deaf36d5e46df216
                                                                                                                                                          • Opcode Fuzzy Hash: 87f68ce69ecaf1e34d7447c4149b8d03373e4f610e5e5b1b44b0c7fc1e589072
                                                                                                                                                          • Instruction Fuzzy Hash: E0F0E9F2205A056FD3214F66ED80D13BBDCF7D97603D64077EA04A3B50C6389C1087A4
                                                                                                                                                          Function 00406F48 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00406F7A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LoadString
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2948472770-0
                                                                                                                                                          • Opcode ID: e5f3f2f5daca680838bb5ab9b9fa9b35bd84d13e5e8b722b34b14af275e2fb06
                                                                                                                                                          • Instruction ID: 7266ca9aeeea33bb1d7e311ce3770e57ea93848e3c688ed763b85c9757603669
                                                                                                                                                          • Opcode Fuzzy Hash: e5f3f2f5daca680838bb5ab9b9fa9b35bd84d13e5e8b722b34b14af275e2fb06
                                                                                                                                                          • Instruction Fuzzy Hash: 13F0A0713001119FDB00EA5DD9C1B4673CC5B48359B048176B609EB39ADB78DC5447AA
                                                                                                                                                          Function 004063F0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040640E
                                                                                                                                                            • Part of subcall function 00406654: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000), ref: 00406670
                                                                                                                                                            • Part of subcall function 00406654: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040668E
                                                                                                                                                            • Part of subcall function 00406654: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004066AC
                                                                                                                                                            • Part of subcall function 00406654: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 004066CA
                                                                                                                                                            • Part of subcall function 00406654: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406759,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406713
                                                                                                                                                            • Part of subcall function 00406654: RegQueryValueExA.ADVAPI32(?,004068C0,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406759,?,80000001), ref: 00406731
                                                                                                                                                            • Part of subcall function 00406654: RegCloseKey.ADVAPI32(?,00406760,00000000,?,?,00000000,00406759,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406753
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2796650324-0
                                                                                                                                                          • Opcode ID: abac612f75250b08581bf10912bde2aacbf5807ae285d540184a2da58441a3ed
                                                                                                                                                          • Instruction ID: fb10f14d2388350335a3caff1dff8197c0d98d05fe9597fdbecf33185411c522
                                                                                                                                                          • Opcode Fuzzy Hash: abac612f75250b08581bf10912bde2aacbf5807ae285d540184a2da58441a3ed
                                                                                                                                                          • Instruction Fuzzy Hash: B0E06D71A002108BCB10EE6C88C1A4337D8AB08758F0149A6FD59EF38BD375DD6087D8
                                                                                                                                                          Function 0040A218 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 0040A223
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                          • Opcode ID: 91fccbd3ad660715366a5321cff66658ddcbed32dc57101da8d53921c73b3b82
                                                                                                                                                          • Instruction ID: 63ec7d5eace984003e1fdd5c63894d894c8859e58cf07fbbc42fef255d16a1ab
                                                                                                                                                          • Opcode Fuzzy Hash: 91fccbd3ad660715366a5321cff66658ddcbed32dc57101da8d53921c73b3b82
                                                                                                                                                          • Instruction Fuzzy Hash: 7EC08CB2A153001EDE1061FD0CC124B02C84A162393641BBFF028F27C2D23FA833201B
                                                                                                                                                          Function 00407406 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateMutexA.KERNEL32(?,?,?,?,?,?), ref: 0040741E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateMutex
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1964310414-0
                                                                                                                                                          • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                                                                                                          • Instruction ID: 9a9a85cdcff9b6a95a761c4839a8f4e9b907ca30e9718645d57da8c7f3a21ee1
                                                                                                                                                          • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                                                                                                          • Instruction Fuzzy Hash: B4D01273650248AFC700EEBDCC05DAB33DC9718609B00C425B918C7101D139E9508B64
                                                                                                                                                          Function 0040A42C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindClose.KERNEL32(?,?,0040A3F6,00000000,?), ref: 0040A438
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                          • Opcode ID: c26c13cbd83c84a6ed108d6e09f7139fcd72b322156912d4988866782952bca2
                                                                                                                                                          • Instruction ID: 1fc7bc96447c977406962759ab81ac49ef083fef72283a891163336f70df389d
                                                                                                                                                          • Opcode Fuzzy Hash: c26c13cbd83c84a6ed108d6e09f7139fcd72b322156912d4988866782952bca2
                                                                                                                                                          • Instruction Fuzzy Hash: 68C04CB0504700478B549E7D48C850626985A053383604755A434EA3D6D77CD8664B16
                                                                                                                                                          Function 0040F8D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetErrorMode.KERNEL32(?,0040F8F1), ref: 0040F8E4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorMode
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2340568224-0
                                                                                                                                                          • Opcode ID: 3082e556ee0debdba9740fbada703ad87fd9c4545d49f6ca09dacbc7bacb9987
                                                                                                                                                          • Instruction ID: 6acc0c3c93c696db9196c294dd10fb011bd360a14317706941a6c35da799448d
                                                                                                                                                          • Opcode Fuzzy Hash: 3082e556ee0debdba9740fbada703ad87fd9c4545d49f6ca09dacbc7bacb9987
                                                                                                                                                          • Instruction Fuzzy Hash: 4FB09B7BF0C7405DE715A799641595863D4E7C87203B18877F400D35C0D53D58048518
                                                                                                                                                          Function 00404D1C Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ExitThreadUser
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3424019298-0
                                                                                                                                                          • Opcode ID: 390a04012c348916109d37acc256f88604f61c3d212b215cb5fcfb9ab0fc82d6
                                                                                                                                                          • Instruction ID: c1a2205b8840a768eae7cab5653bf5a53821b9119abf951373921811c30329b9
                                                                                                                                                          • Opcode Fuzzy Hash: 390a04012c348916109d37acc256f88604f61c3d212b215cb5fcfb9ab0fc82d6
                                                                                                                                                          • Instruction Fuzzy Hash: 9FC09BA22406004FC3017B756CDDF4625EC7758357F9128BA7306F91A2C67CC4CCDA14
                                                                                                                                                          Function 0040F8EF Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetErrorMode.KERNEL32(?,0040F8F1), ref: 0040F8E4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorMode
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2340568224-0
                                                                                                                                                          • Opcode ID: 1c223485a1a9538c41f45f127dd5ac03f7499f024feef4f9e8d3bbe448de613d
                                                                                                                                                          • Instruction ID: bf4399709d15c45cb43fcb2abd70df7768303de8cec79f43ffeed5c639de5566
                                                                                                                                                          • Opcode Fuzzy Hash: 1c223485a1a9538c41f45f127dd5ac03f7499f024feef4f9e8d3bbe448de613d
                                                                                                                                                          • Instruction Fuzzy Hash: C8A0222EC08000B2CE20B3E88008C8C23282A0C3803C08CB23002B3080C23EA800A20A
                                                                                                                                                          Function 004016EC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004), ref: 00401702
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                          • Opcode ID: 6e0bff8d6e8b4105093eeb0d2ffe0f5546724f21840a69308321dd630b14feb6
                                                                                                                                                          • Instruction ID: 2b29ffa86247d17962adf5f00faf49e67d4e06e8c3c36d2ff9d94ca15018a347
                                                                                                                                                          • Opcode Fuzzy Hash: 6e0bff8d6e8b4105093eeb0d2ffe0f5546724f21840a69308321dd630b14feb6
                                                                                                                                                          • Instruction Fuzzy Hash: B6F04FB0B007004FDB049F799D45B057AE5E789344F10813DE909EB3E8E77594059B24

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00406490 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,00000000), ref: 004064AD
                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 004064C4
                                                                                                                                                          • lstrcpyn.KERNEL32(?,?,?,?,?,00000000), ref: 004064F4
                                                                                                                                                          • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,?,00000000), ref: 00406558
                                                                                                                                                          • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 0040658E
                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 004065A1
                                                                                                                                                          • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 004065B3
                                                                                                                                                          • lstrlen.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,00000000), ref: 004065BF
                                                                                                                                                          • lstrcpyn.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 004065F3
                                                                                                                                                          • lstrlen.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 004065FF
                                                                                                                                                          • lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406621
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                          • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                          • API String ID: 3245196872-1565342463
                                                                                                                                                          • Opcode ID: af7636f1ac12b4715a3e1ddca8c73b8177f910e7d62148824903c52b939d34fe
                                                                                                                                                          • Instruction ID: 10ee413f2eb17d2eb30b6eb06b35ca201cc2411c92d10b1534f8901507da16e9
                                                                                                                                                          • Opcode Fuzzy Hash: af7636f1ac12b4715a3e1ddca8c73b8177f910e7d62148824903c52b939d34fe
                                                                                                                                                          • Instruction Fuzzy Hash: 7C418E71D00619ABDB10DBE8CD89ADFB7FCAF08344F0505BAA546F7291D6389E508B58
                                                                                                                                                          Function 0040A07E Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?), ref: 0040A094
                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?), ref: 0040A09F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2295610775-0
                                                                                                                                                          • Opcode ID: 76c00b5a001a9ad399836e5a6c9c772ced64ee8b6fa141093e4c215e1c1cdf3f
                                                                                                                                                          • Instruction ID: fcd2cf5c1ee45d019d12990ab37e1e58ab873d0aacf31eaccfd065d3ef86398a
                                                                                                                                                          • Opcode Fuzzy Hash: 76c00b5a001a9ad399836e5a6c9c772ced64ee8b6fa141093e4c215e1c1cdf3f
                                                                                                                                                          • Instruction Fuzzy Hash: 04E06530A1030D47CB20EF798C45ADA339CAB08324F000777B928D33D0E638DD608697
                                                                                                                                                          Function 0040A190 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0040A1AB
                                                                                                                                                          • FindClose.KERNEL32(00000000,00000000,?), ref: 0040A1B6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2295610775-0
                                                                                                                                                          • Opcode ID: d547afc37ae67694dac33bc9427c58825812c941f46c0851e7db3a44b0c9b28c
                                                                                                                                                          • Instruction ID: 2582233e79da3d6712f1643d185eef4100e87e37fa9b7f609966eb7befc25ac0
                                                                                                                                                          • Opcode Fuzzy Hash: d547afc37ae67694dac33bc9427c58825812c941f46c0851e7db3a44b0c9b28c
                                                                                                                                                          • Instruction Fuzzy Hash: 96E0CD3191430C12C71051FA0C8579B768C5B04328F0407BBFD5CF12D2E67D9514045B
                                                                                                                                                          Function 0040A62A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0040A64D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DiskFreeSpace
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1705453755-0
                                                                                                                                                          • Opcode ID: 4677c480db41a5919d73ddeb0dcf2db105663cbc8e9aa77ca5ffcb3b7ef35041
                                                                                                                                                          • Instruction ID: 422348533f56fd3d349ea577a88bcee3b5014827bf4accb1bc82763b7bf30eb1
                                                                                                                                                          • Opcode Fuzzy Hash: 4677c480db41a5919d73ddeb0dcf2db105663cbc8e9aa77ca5ffcb3b7ef35041
                                                                                                                                                          • Instruction Fuzzy Hash: 5E11C0B5E00209AFDB04CF99C8819AFB7F9EFC8304B14C56AA509E7254E6319E018B94
                                                                                                                                                          Function 0040D29C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D2BA
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                          • Opcode ID: bf36a3683dfcfd5ed2b9b0fe9a56c4ea51107a501e1cb39fa635c3c93430f12e
                                                                                                                                                          • Instruction ID: e517db6e09904afc974c349e5dfa122a21d1fe16b9bb3eb40bc0ba448f1bbeec
                                                                                                                                                          • Opcode Fuzzy Hash: bf36a3683dfcfd5ed2b9b0fe9a56c4ea51107a501e1cb39fa635c3c93430f12e
                                                                                                                                                          • Instruction Fuzzy Hash: 09E0D872B0421817D311A5A98C82AF7B25CAB58320F0002BFBE09E73C5EDB4DD8442ED
                                                                                                                                                          Function 0040E290 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Version
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                                          • Opcode ID: d3765a44ea23ffd174db987aa9a6078b78e92e617b3328f2af16296b17a0c507
                                                                                                                                                          • Instruction ID: 7e7803f747c259e265a1e28fd324745637ae4dbdca50d3502b6bd23008ee2547
                                                                                                                                                          • Opcode Fuzzy Hash: d3765a44ea23ffd174db987aa9a6078b78e92e617b3328f2af16296b17a0c507
                                                                                                                                                          • Instruction Fuzzy Hash: A1F017B05087019FC340DF69D861E1577E4FB59710F018A3EE498D73D0D738981A9F56
                                                                                                                                                          Function 0040D2E8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLocaleInfoA.KERNEL32(?,?,?,00000002), ref: 0040D2FB
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                          • Opcode ID: 7a49a5b6450d6858172dc4dd861cfb31e109720f08f1095ea788c1aee210495f
                                                                                                                                                          • Instruction ID: 06437d22d00813501e517c8f103118be5a42ed783dba3d3633909b98c2f95b31
                                                                                                                                                          • Opcode Fuzzy Hash: 7a49a5b6450d6858172dc4dd861cfb31e109720f08f1095ea788c1aee210495f
                                                                                                                                                          • Instruction Fuzzy Hash: 7AD05E6270D2603AE210519B2D95DBB5EDCCAC57B1F10413BFA48D6281E2248C0A927A
                                                                                                                                                          Function 0040BBCC Relevance: 1.5, APIs: 1, Instructions: 13timeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LocalTime
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 481472006-0
                                                                                                                                                          • Opcode ID: ffecdcc069200d56f7138628c2879d8177b73864d41669e8442184d02e6143fe
                                                                                                                                                          • Instruction ID: 4da99afc40f1f98a46de33cd03a6bcaa7dbbee62c1106452e4c43042e8d24836
                                                                                                                                                          • Opcode Fuzzy Hash: ffecdcc069200d56f7138628c2879d8177b73864d41669e8442184d02e6143fe
                                                                                                                                                          • Instruction Fuzzy Hash: D1D0926040C621A1C2007B16C88147EBBE4AE81A05F808DAEF8C8901E1EB39D5A4D36B
                                                                                                                                                          Function 00402364 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                          • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                          • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                          • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                          Function 00405E20 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                                                                                                                          • Instruction ID: 84055fddaba81569a5d8b2d82b2ee482eff4282c83ee4910e97257892026859f
                                                                                                                                                          • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                                                                                                                          • Instruction Fuzzy Hash: A701C432B017110B870CDD3ECD9862BB6D3ABC8910F09C63E95C9C72C4DE318C1AC686
                                                                                                                                                          Function 00407386 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 93a0601c067ca857fdb21d9c4cc9a89154ff08232491ff9cf2ada0e2e0072270
                                                                                                                                                          • Instruction ID: 8be714bd0922a41daacc2ac92aa2a127ffcd341ce1cbe069f47596bb33d13b03
                                                                                                                                                          • Opcode Fuzzy Hash: 93a0601c067ca857fdb21d9c4cc9a89154ff08232491ff9cf2ada0e2e0072270
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 0040757E Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 47ce66c076135909b43150318d1ed897b7cb87cc9fb7e0d192ab8b8c94ffa1cd
                                                                                                                                                          • Instruction ID: be517312669848e78ddb251ee1510fb2c772ffb862241685daf4a367c6f2c35f
                                                                                                                                                          • Opcode Fuzzy Hash: 47ce66c076135909b43150318d1ed897b7cb87cc9fb7e0d192ab8b8c94ffa1cd
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00407596 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 82bacb4e5e0897c9c52d6f33446234db0bf306de5e4065b18cc4022b7481dd0b
                                                                                                                                                          • Instruction ID: 0e3a928910145dff67c2b6bb05e154c5528f3c0bbb04a2fdc2c0aa17a17cb04e
                                                                                                                                                          • Opcode Fuzzy Hash: 82bacb4e5e0897c9c52d6f33446234db0bf306de5e4065b18cc4022b7481dd0b
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00410616 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: cd84ffe6ea6a81c4340570ca6209e6b4f33e955ef5bde5832221e54f37e4dc04
                                                                                                                                                          • Instruction ID: 0fc36bcf4fd42df20c963f6a891dc8fdd16caa04d2384bbc12abbbfce4a7cffb
                                                                                                                                                          • Opcode Fuzzy Hash: cd84ffe6ea6a81c4340570ca6209e6b4f33e955ef5bde5832221e54f37e4dc04
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00407AE6 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 09678ce9b8719395b471a4889fb3da65c48f231be5c76d04a4415aed8521aeb0
                                                                                                                                                          • Instruction ID: ccce525f6f6be9adbc1ae2ffa7d47bd0e551b4685be3238b98922294dc034860
                                                                                                                                                          • Opcode Fuzzy Hash: 09678ce9b8719395b471a4889fb3da65c48f231be5c76d04a4415aed8521aeb0
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00407BDE Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9687dbfc2d74068449d80db22adf3b5f11521e9f515cdbb23a067c9dea8ecc70
                                                                                                                                                          • Instruction ID: bd3d806b864222197137e147694fb30cbe0f9892faa18bc1da1a80bb22eb5736
                                                                                                                                                          • Opcode Fuzzy Hash: 9687dbfc2d74068449d80db22adf3b5f11521e9f515cdbb23a067c9dea8ecc70
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00407C0E Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 6d3e9f496195e2c5ceb10e8575df81110131f91c0edbb68defc78aea3677f3a6
                                                                                                                                                          • Instruction ID: 9e3839eb7f6ff53a5b0c63efa45c393c42b4130d6daf6bebf45960ab6ef0b1a9
                                                                                                                                                          • Opcode Fuzzy Hash: 6d3e9f496195e2c5ceb10e8575df81110131f91c0edbb68defc78aea3677f3a6
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00407DEE Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 4e2ae50f9b3e9052029a7e5d490ee08ed846f38c8d29f6eae88bb7dcd1cb6c90
                                                                                                                                                          • Instruction ID: 5805db2efda80558d7c64ede829084e8fea8faa27671ae35df1c06b79080d963
                                                                                                                                                          • Opcode Fuzzy Hash: 4e2ae50f9b3e9052029a7e5d490ee08ed846f38c8d29f6eae88bb7dcd1cb6c90
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00407EAE Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a71fd40d3044a45c558ec3c06f5914df48140acd3f981dfaa54bf272d70c7eeb
                                                                                                                                                          • Instruction ID: 0e44d411f39d25679ebce584135f8b2d1780aba4ea5c023ee45b5d00b5e73a8e
                                                                                                                                                          • Opcode Fuzzy Hash: a71fd40d3044a45c558ec3c06f5914df48140acd3f981dfaa54bf272d70c7eeb
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00407F5E Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 06d1da923a1647c9e76e466e3a5a7946d7c1b4709d7de6ca4b3704c922e3cca2
                                                                                                                                                          • Instruction ID: c513f6b1168a9112d575e2bf3b821372c0cbfd5a4983372f5057f1c6570498d8
                                                                                                                                                          • Opcode Fuzzy Hash: 06d1da923a1647c9e76e466e3a5a7946d7c1b4709d7de6ca4b3704c922e3cca2
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00410B1C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 00410B25
                                                                                                                                                            • Part of subcall function 00410AF0: GetProcAddress.KERNEL32(00000000), ref: 00410B09
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                          • API String ID: 1646373207-1918263038
                                                                                                                                                          • Opcode ID: 2433f4a8f5941641ec323bd1de4e45f469cc96b9fa5bd255fbe26df3147f67c6
                                                                                                                                                          • Instruction ID: 41f02b592aec5c50c35ec929f01136ce0f58b28e0beaaa74dd9ced15939b7816
                                                                                                                                                          • Opcode Fuzzy Hash: 2433f4a8f5941641ec323bd1de4e45f469cc96b9fa5bd255fbe26df3147f67c6
                                                                                                                                                          • Instruction Fuzzy Hash: 754137B16C67046B5350ABAE78228EA37D8DAA4754760C03FF4048B756DFF8B8C1962D
                                                                                                                                                          Function 0040325C Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CharNext
                                                                                                                                                          • String ID: $ $ $"$"$"$"$"$"
                                                                                                                                                          • API String ID: 3213498283-3597982963
                                                                                                                                                          • Opcode ID: d879601b215014b92cbdc9bf6d7a60d161fa4f9c74acb53613478e46e0586e0c
                                                                                                                                                          • Instruction ID: b1f1235257fcfa91303e850b047b93378a5f67fcad0b885d2a6807929ea4b06c
                                                                                                                                                          • Opcode Fuzzy Hash: d879601b215014b92cbdc9bf6d7a60d161fa4f9c74acb53613478e46e0586e0c
                                                                                                                                                          • Instruction Fuzzy Hash: 4A3165916083D42EEB322AB99CC432B2FCC4B56356F1809FFA541B63D7D97C4941835E
                                                                                                                                                          Function 00408154 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0040816C
                                                                                                                                                          • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00408178
                                                                                                                                                          • RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00408187
                                                                                                                                                          • RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00408193
                                                                                                                                                          • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004081AB
                                                                                                                                                          • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004081CF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                                                                                                          • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                                                                                                          • API String ID: 1416857345-3736581797
                                                                                                                                                          • Opcode ID: 0c39f5f1bbaddc033d3fc44fe91624ca802bdabca0d8cb1786fa4f406ccf2e6f
                                                                                                                                                          • Instruction ID: e97d43b0015e8c277e894943645c5a764ef86f3b6875960b9750d38bca844fa2
                                                                                                                                                          • Opcode Fuzzy Hash: 0c39f5f1bbaddc033d3fc44fe91624ca802bdabca0d8cb1786fa4f406ccf2e6f
                                                                                                                                                          • Instruction Fuzzy Hash: 27117071644302AFE310AF55CD41B6AB7A8EF49354F20447FF880AF3C1DAB86C418BA9
                                                                                                                                                          Function 00402814 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BB2
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Message
                                                                                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                          • API String ID: 2030045667-32948583
                                                                                                                                                          • Opcode ID: 6d2f583770a5c284393d97a9bebb9e295efe89f44ea87cbb6e75609412fb254c
                                                                                                                                                          • Instruction ID: 485fee4f3643b5c2487d1ddf534532fecee11c890710d85dc15118134b43ced6
                                                                                                                                                          • Opcode Fuzzy Hash: 6d2f583770a5c284393d97a9bebb9e295efe89f44ea87cbb6e75609412fb254c
                                                                                                                                                          • Instruction Fuzzy Hash: 82A1B730B042548BDF21AB2DC988B9977F4EB09714F1441F6E849BB3C2CBBD9985CB59
                                                                                                                                                          Function 00411DCC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411E65
                                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00411E81
                                                                                                                                                          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00411EBA
                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411F37
                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00411F50
                                                                                                                                                          • VariantCopy.OLEAUT32(?), ref: 00411F85
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 351091851-3916222277
                                                                                                                                                          • Opcode ID: be779c32383df5b142a194d8c9856758cccf68a2a87930905684b97ec98eec7f
                                                                                                                                                          • Instruction ID: 9baf8a980d0ccaf320f07e7202fd15771a3ed65a479e5a3214ff70033aed8183
                                                                                                                                                          • Opcode Fuzzy Hash: be779c32383df5b142a194d8c9856758cccf68a2a87930905684b97ec98eec7f
                                                                                                                                                          • Instruction Fuzzy Hash: 0351FE759006299BCB22DB59C891BD9B3BCAF48304F0441DAF609E7222D674AFC58F69
                                                                                                                                                          Function 00404B04 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404BCB,?,?,?,00000002,00404C76,00402FF7,0040303E), ref: 00404B3D
                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404BCB,?,?,?,00000002,00404C76,00402FF7,0040303E), ref: 00404B43
                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,00404B8C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404BCB), ref: 00404B58
                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,00404B8C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404BCB), ref: 00404B5E
                                                                                                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404B7C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileHandleWrite$Message
                                                                                                                                                          • String ID: Error$Runtime error at 00000000
                                                                                                                                                          • API String ID: 1570097196-2970929446
                                                                                                                                                          • Opcode ID: 6a952aef6b86e8421f31a1654be8ea45b291cd1ba05ff82fa8df48dd4f12f1c1
                                                                                                                                                          • Instruction ID: 95f7bf47fd5bac37786e481b8911072f2d792de778d0dc8cebeba5fefc4a3777
                                                                                                                                                          • Opcode Fuzzy Hash: 6a952aef6b86e8421f31a1654be8ea45b291cd1ba05ff82fa8df48dd4f12f1c1
                                                                                                                                                          • Instruction Fuzzy Hash: F9F0C2906843047CE71073A05D46F5A397C9390B25F50037EB710F80E183B8D485D629
                                                                                                                                                          Function 00401F7C Relevance: 10.9, APIs: 7, Instructions: 363COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a67e46f8ce095458af0e74cff360f127cba7c71261f7416f51138922ef96dee5
                                                                                                                                                          • Instruction ID: 461ec9cea5e30582e286b9bffb55b73c57a87c2e0b693082e5bed6dbfc7a2916
                                                                                                                                                          • Opcode Fuzzy Hash: a67e46f8ce095458af0e74cff360f127cba7c71261f7416f51138922ef96dee5
                                                                                                                                                          • Instruction Fuzzy Hash: 64B126727006000BE714AA7DDE897AAB2C5DBC4325F18827FE615EB3E5DABCC945C358
                                                                                                                                                          Function 0040D99C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0040D814: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D831
                                                                                                                                                            • Part of subcall function 0040D814: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D855
                                                                                                                                                            • Part of subcall function 0040D814: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D870
                                                                                                                                                            • Part of subcall function 0040D814: LoadStringA.USER32(00000000,0000FFEE,?,00000100), ref: 0040D906
                                                                                                                                                          • CharToOemA.USER32(?,?), ref: 0040D9D3
                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0040D9F0
                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0040D9F6
                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,0040DA60,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0040DA0B
                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,0040DA60,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0040DA11
                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFEF,?,00000040), ref: 0040DA33
                                                                                                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DA49
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 185507032-0
                                                                                                                                                          • Opcode ID: a72e73c4192a100ac1f38243dc821976b9244392e5e5f19123c626da31d8f479
                                                                                                                                                          • Instruction ID: 60332324d68d38bab062788468906de983c3a53a11919fc75f72b2eb778bef05
                                                                                                                                                          • Opcode Fuzzy Hash: a72e73c4192a100ac1f38243dc821976b9244392e5e5f19123c626da31d8f479
                                                                                                                                                          • Instruction Fuzzy Hash: 08111FB6948204BED200E7A5CC46F9B77ECAB55704F40453AB254F70E2DA78E948C76B
                                                                                                                                                          Function 00403C10 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403C32
                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,f,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403C65
                                                                                                                                                          • RegCloseKey.ADVAPI32(?,00403C88,00000000,?,00000004,00000000,f,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403C7B
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL$f
                                                                                                                                                          • API String ID: 3677997916-3321666425
                                                                                                                                                          • Opcode ID: 58718a7227738a0a28020428883a39dc93366d2a92f69202d090ca0cc01582f1
                                                                                                                                                          • Instruction ID: 9fabdff2624ff567f3a2a95476d4a4a2560c1bf14ff57ef392c0b58da0016998
                                                                                                                                                          • Opcode Fuzzy Hash: 58718a7227738a0a28020428883a39dc93366d2a92f69202d090ca0cc01582f1
                                                                                                                                                          • Instruction Fuzzy Hash: B0019276944318BBFB11DFD18D42FA977ECDB08B02F600076BA00F69D0E6786B10D658
                                                                                                                                                          Function 00401A00 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • Sleep.KERNEL32(00000000,?,004019CE), ref: 00401AB7
                                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,004019CE), ref: 00401ACD
                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,004019CE), ref: 00401AFB
                                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,?,?,004019CE), ref: 00401B11
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Sleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                          • Opcode ID: b32e8edd63c856b015ad2b2410a02b16e4615c69ddaf36e8f1ab17b42d89104d
                                                                                                                                                          • Instruction ID: 3656e19f794ca123336682b9b1b31931462c5f0d8faa41f4f7cd4ee0bc97cfd3
                                                                                                                                                          • Opcode Fuzzy Hash: b32e8edd63c856b015ad2b2410a02b16e4615c69ddaf36e8f1ab17b42d89104d
                                                                                                                                                          • Instruction Fuzzy Hash: 95C136726006408FDB15CF68D8C4B56BBE0EB95310F1882BFE409EB3E5D378A845DBA4
                                                                                                                                                          Function 004030C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 004030F5
                                                                                                                                                          • SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 004030FB
                                                                                                                                                          • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 0040310A
                                                                                                                                                          • SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 0040311B
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentDirectory
                                                                                                                                                          • String ID: :
                                                                                                                                                          • API String ID: 1611563598-336475711
                                                                                                                                                          • Opcode ID: 22ccac4db5180eea816c3e9c892c9d427bf1f892fd5cd068f788252a728ced4c
                                                                                                                                                          • Instruction ID: 06a94c7a72b9c871e16b1c73e7d3e6c0996a5a500bab6bd0aacfa0833e3f3c48
                                                                                                                                                          • Opcode Fuzzy Hash: 22ccac4db5180eea816c3e9c892c9d427bf1f892fd5cd068f788252a728ced4c
                                                                                                                                                          • Instruction Fuzzy Hash: 78F096712447801AE310F7658852BDB76DC8F55344F08446EBAC8DB3C2E6B88944436B
                                                                                                                                                          Function 00417798 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f4549996bfa13d4b9f38fd646470c6cdf78f58488e6ef24fa1c69105d6e1a2e0
                                                                                                                                                          • Instruction ID: 80d5a27828f1022e61cf45ae5d09fc5737e64e464381dfc9404cecae29974433
                                                                                                                                                          • Opcode Fuzzy Hash: f4549996bfa13d4b9f38fd646470c6cdf78f58488e6ef24fa1c69105d6e1a2e0
                                                                                                                                                          • Instruction Fuzzy Hash: 22D1A135A08109EFCB00EF95C4818FEBBB6EF49714F5444E6E840A7251D738AEC6DB69
                                                                                                                                                          Function 004164F8 Relevance: 7.8, APIs: 5, Instructions: 271COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1927566239-0
                                                                                                                                                          • Opcode ID: 4911b6a26c548f54303722d07d34286d6cb54ff458c9949ded4dcb0a4d31b2d7
                                                                                                                                                          • Instruction ID: f01cf8445ffd19b773396495c4335c74ba7f42d999c6f683ee4624693c273b46
                                                                                                                                                          • Opcode Fuzzy Hash: 4911b6a26c548f54303722d07d34286d6cb54ff458c9949ded4dcb0a4d31b2d7
                                                                                                                                                          • Instruction Fuzzy Hash: BCB13635A00208EFDB00EF99C5918EDB7B5EF49714FA144A6F904A7251D738EE86DB28
                                                                                                                                                          Function 00401D84 Relevance: 7.7, APIs: 6, Instructions: 196sleepCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,00000000,004019F6), ref: 00401E1A
                                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,004019F6), ref: 00401E34
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Sleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                          • Opcode ID: 3eab3216137cd859be2dd8979b3d4c6bf060391af7d83699f8220d6ed4e3c278
                                                                                                                                                          • Instruction ID: 0a087b3c5d231e40dd406a35759a09e7f25f376514f37027b140ab86fdd1c782
                                                                                                                                                          • Opcode Fuzzy Hash: 3eab3216137cd859be2dd8979b3d4c6bf060391af7d83699f8220d6ed4e3c278
                                                                                                                                                          • Instruction Fuzzy Hash: 9461DF316006008FE715CF69C984B5ABBE0EF95314F1882BFE848EB3E2D7789845C795
                                                                                                                                                          Function 0040D528 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,0040D5BF,?,?,00000000), ref: 0040D540
                                                                                                                                                            • Part of subcall function 0040D29C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D2BA
                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D5BF,?,?,00000000), ref: 0040D570
                                                                                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000D474,00000000,00000000,00000004), ref: 0040D57B
                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000003,Function_0000D474,00000000,00000000,00000004,00000000,0040D5BF,?,?,00000000), ref: 0040D599
                                                                                                                                                          • EnumCalendarInfoA.KERNEL32(0040D4B0,00000000,00000000,00000003), ref: 0040D5A4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4102113445-0
                                                                                                                                                          • Opcode ID: bfb531df73c8672920384914e30a92e5ba40c610330c824214a82654d39d9556
                                                                                                                                                          • Instruction ID: f5f252ea509f9ecdc69f0780ef4a3f58556b440c577e1b0fa6ec6e20b2c1fc46
                                                                                                                                                          • Opcode Fuzzy Hash: bfb531df73c8672920384914e30a92e5ba40c610330c824214a82654d39d9556
                                                                                                                                                          • Instruction Fuzzy Hash: F601DF70E442447FE701A6A58C02B5A729CDB4272CFA10A76F900B66C1D63CAE04866E
                                                                                                                                                          Function 0040D5D7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,0040D7A8,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D607
                                                                                                                                                            • Part of subcall function 0040D29C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D2BA
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                                          • String ID: eeee$ggg$yyyy
                                                                                                                                                          • API String ID: 4232894706-1253427255
                                                                                                                                                          • Opcode ID: 67c101257e44f971c4972e470f39b920877b4845e9cbca7da88b74db75d5031b
                                                                                                                                                          • Instruction ID: d797eac4a9e6cae31c09b2f6d0bdcff9bad086bf29bc0c75a8b6d75e9d92d03a
                                                                                                                                                          • Opcode Fuzzy Hash: 67c101257e44f971c4972e470f39b920877b4845e9cbca7da88b74db75d5031b
                                                                                                                                                          • Instruction Fuzzy Hash: E0414575E045014BC711A6EA88816BFB2E6CF84308F20483BF651F73C5E63DDD0A9A2E
                                                                                                                                                          Function 0040A0CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetFileAttributesExA), ref: 0040A0D9
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A0DF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                          • String ID: GetFileAttributesExA$kernel32.dll
                                                                                                                                                          • API String ID: 1646373207-595542130
                                                                                                                                                          • Opcode ID: ac6230348a09734ce87039792d598dba1c406c730d372e854d2c1639ef35621f
                                                                                                                                                          • Instruction ID: c0f85174c7450fa4a85f186928e03e335167b655d6d07729e7dec8d865d6a888
                                                                                                                                                          • Opcode Fuzzy Hash: ac6230348a09734ce87039792d598dba1c406c730d372e854d2c1639ef35621f
                                                                                                                                                          • Instruction Fuzzy Hash: F3E09AB060034CAFD740DFAADC89E8A33E8E754304F404026B508E7280C238A4A4DB6A
                                                                                                                                                          Function 0040F314 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040F31A
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040F32B
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                          • API String ID: 1646373207-3712701948
                                                                                                                                                          • Opcode ID: 75556612eff1239cb34c352eb592c6c3717f74eb728dbf82f464e320982c0cbc
                                                                                                                                                          • Instruction ID: ae67c5600653d80dc8f73497acb555c10e5221c35283fa442612f7809b08d3c5
                                                                                                                                                          • Opcode Fuzzy Hash: 75556612eff1239cb34c352eb592c6c3717f74eb728dbf82f464e320982c0cbc
                                                                                                                                                          • Instruction Fuzzy Hash: 5DD05EA0A007425ED320ABB05CD1E0A35D4C320778F64203BA400B6AC1D67CE84CDB09
                                                                                                                                                          Function 00411B2C Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411BDB
                                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00411BF7
                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411C6E
                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00411C97
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 920484758-0
                                                                                                                                                          • Opcode ID: 25f00927699ec67a5ca034748394e04e8f27b3e26281d1f12c6bde646a72501e
                                                                                                                                                          • Instruction ID: 1e44c53e162fb4676ee38a7fb7f7efbaab35e41f6b89ae998a35828e43e08f4c
                                                                                                                                                          • Opcode Fuzzy Hash: 25f00927699ec67a5ca034748394e04e8f27b3e26281d1f12c6bde646a72501e
                                                                                                                                                          • Instruction Fuzzy Hash: D2410F75A0161D9FCB61DF59C890BD9B3BCAF58354F0041DAE649E7222DA38AFC08F58
                                                                                                                                                          Function 0040D814 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D831
                                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D855
                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D870
                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFEE,?,00000100), ref: 0040D906
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3990497365-0
                                                                                                                                                          • Opcode ID: f860166b532c3af716bbbece521f5770e8c20068ee10bf8d49e5018779eb9291
                                                                                                                                                          • Instruction ID: 0fce914919b44e1faf5299836b0e99388da7786b0365e15d7e2ac5b3acfd5dca
                                                                                                                                                          • Opcode Fuzzy Hash: f860166b532c3af716bbbece521f5770e8c20068ee10bf8d49e5018779eb9291
                                                                                                                                                          • Instruction Fuzzy Hash: 33413271E002589BDB21EB69CC85BDAB7FCAB18304F0044FAA548F7291D7789F888F55
                                                                                                                                                          Function 0040A334 Relevance: 6.1, APIs: 4, Instructions: 54timefileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 0040A345
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 0040A34E
                                                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A364
                                                                                                                                                          • FileTimeToDosDateTime.KERNEL32(?,?), ref: 0040A373
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileTime$DateErrorFindLastLocalNext
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2103556486-0
                                                                                                                                                          • Opcode ID: 4c645fc4e9945dfbf6ab1bfdc392314a6803a0bda5320683aeb8161cacbb14da
                                                                                                                                                          • Instruction ID: c0dcf7b789d7dd47380177407dc866caf821f7edcc3f99afbc2d43f938e30893
                                                                                                                                                          • Opcode Fuzzy Hash: 4c645fc4e9945dfbf6ab1bfdc392314a6803a0bda5320683aeb8161cacbb14da
                                                                                                                                                          • Instruction Fuzzy Hash: 761165B26042009FDB44EF69C8C1C9777ECAF8834471585B7ED49DB28AF634E9108BA6
                                                                                                                                                          Function 004206D8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindResourceA.KERNEL32(?,?,?), ref: 004206EF
                                                                                                                                                          • LoadResource.KERNEL32(?,00420774,?,?,?,0041AD6C,?,00000001,00000000,?,0042061A,00000000,?), ref: 00420709
                                                                                                                                                          • SizeofResource.KERNEL32(?,00420774,?,00420774,?,?,?,0041AD6C,?,00000001,00000000,?,0042061A,00000000,?), ref: 00420723
                                                                                                                                                          • LockResource.KERNEL32(00420278,00000000,?,00420774,?,00420774,?,?,?,0041AD6C,?,00000001,00000000,?,0042061A,00000000), ref: 0042072D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                          • Opcode ID: ead9b0915ce55c5a808a1445240f695a2a1c0e8a92e249ac09a53045f7a1dd0d
                                                                                                                                                          • Instruction ID: 3261ba44ed7c091bc0b74157ae87bf511306d7e1f8e785b0a0508299de5fc338
                                                                                                                                                          • Opcode Fuzzy Hash: ead9b0915ce55c5a808a1445240f695a2a1c0e8a92e249ac09a53045f7a1dd0d
                                                                                                                                                          • Instruction Fuzzy Hash: 2AF0ADB26052186F8744EF5DA881D5BB3DCEE88264350042FF808D7203DA39ED1147B9
                                                                                                                                                          Function 004041A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 004043A2
                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 004043DF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                          • String ID: <D@
                                                                                                                                                          • API String ID: 3192549508-821628535
                                                                                                                                                          • Opcode ID: 2f00dbeed84912c4b243a80969af43ac1edb29cb7e89bf37cd8bdfd030483d63
                                                                                                                                                          • Instruction ID: 26bb5c2dc2421805375e836a328842dd2d7b88f794bd139a53bf4507f8f96212
                                                                                                                                                          • Opcode Fuzzy Hash: 2f00dbeed84912c4b243a80969af43ac1edb29cb7e89bf37cd8bdfd030483d63
                                                                                                                                                          • Instruction Fuzzy Hash: DD318EB4604300AFD720EB51C885F2BB7A9EBC4714F15856EFA18A72D2C738EC44DB69
                                                                                                                                                          Function 0040BF28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C016), ref: 0040BFAE
                                                                                                                                                          • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040C016), ref: 0040BFB4
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1955126707.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000014.00000002.1955083565.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005D1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005F0000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.00000000005FB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1955126707.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 00000014.00000002.1960185530.0000000000666000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_Patch.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DateFormatLocaleThread
                                                                                                                                                          • String ID: yyyy
                                                                                                                                                          • API String ID: 3303714858-3145165042
                                                                                                                                                          • Opcode ID: 05bc9bbeb911436f3ac1e15ca48baaff7fd1fb517ecb601d31d9e3ed9366eefd
                                                                                                                                                          • Instruction ID: 2e937bf58fc9bd524c66c0e40e301741e8b3460a66582825558e693687b4a696
                                                                                                                                                          • Opcode Fuzzy Hash: 05bc9bbeb911436f3ac1e15ca48baaff7fd1fb517ecb601d31d9e3ed9366eefd
                                                                                                                                                          • Instruction Fuzzy Hash: 4B215371A00218DBDB11DF95C881AAEB3B8EF48744F5141BBF904F76C1D6389E40DBA9

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 008F0000 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001C.00000002.2473359257.00000000008F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_28_2_8f0000_Patch.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 42cbad7e28e516686d332c3a0663a05a505e701af99a628bedb35e7154558a3c
                                                                                                                                                          • Instruction ID: 26be9c0cb70ec263171fac7dc7ca63c0a8d654ea79692619ae4cf20f00b14683
                                                                                                                                                          • Opcode Fuzzy Hash: 42cbad7e28e516686d332c3a0663a05a505e701af99a628bedb35e7154558a3c
                                                                                                                                                          • Instruction Fuzzy Hash: 0CA002F7C36E748BC5639B19C885712B2D16A2511770E5D5888AD52612C626E570C6C8